Windows 2000 Certificate Services and X.500 Compliant Certificate Authorities (258048)

MORE INFORMATION

The Windows 2000 Active Directory is based upon X.500, but does not implement the full Directory Access Protocol (DAP) described by the X.500 standard. Instead, clients use the Lightweight Directory Access Protocol (LDAP) to use the Active Directory. Additionally, Windows 2000 uses only a subset of the naming attributes for a directory object defined in RFC# 2253: Lightweight Directory Access Protocol (v3):UTF-8 String Representation of Distinguished Names.

The LDAP naming attributes used by Windows 2000 Active Directory are:

Object Class	Naming Attribute Display Name	Naming Attribute LDAP Name
user	Common-Name	cn
organizational unit	Organizational-Unit-Name	ou
domain	Domain-Component	dc

Other naming attributes that are defined by RFC 2253, while not used by Active Directory, are supported by the Microsoft LDAP protocol implementation. These other naming attributes include "o" for Organization name and "c" for country/region name. If a client presents a certificate to Windows 2000 that was issued by a non-Windows 2000 CA, then the CRL Distribution Point (CDP) field may contain an LDAP path that contains the unused naming attributes discussed above (for example, LDAP://ServerName/CN=crlDate,O=xyz,C=US). As long as a full LDAP URL is used (the LDAP:// prefix is included), the CDP field path be processed. If the field instead contains a raw X.500 name (for example, CN=crlDate,O=xyz,C=US), then certificate validation does not work because Windows 2000 cannot convert a raw X.500 name into an LDAP URL.