Bookshelf v8.0: Comparison of LDAP and ADSI Security Adapters

This topic outlines the differences in functionality provided by the LDAP and ADSI security adapters. The relative benefits of each type of security adapter are shown in Table 11.

The LDAP security adapter can be used to authenticate against supported LDAP-compliant directories. The LDAP security adapter is also supported for integration to Active Directory and provides most of the functionality offered by the ADSI security adapter. The ADSI security adapter can authenticate against ADSI-compliant directories (Microsoft Active Directory).

For Siebel CRM release 8.0 and higher, it is recommended that you use the LDAP security adapter for authenticating against both Active Directory and LDAP-based external directories.

Table 11. Comparison of LDAP and ADSI Security Adapter Functionality
Functionality	LDAP Security Adapter	LDAP Security Adapter with AD Directory	ADSI Security Adapter
Shared database account credentials can be stored as security adapter profile parameters eliminating the necessity for a shared credentials user record in the external directory.	Yes	Yes	No
Password expiration warning	No	No	Yes
Administration of the directory through Siebel Business Applications (manage user passwords or create new users) NOTE: In large implementations, timeout issues can occur, particularly if using the ADSI security adapter.	Yes	Yes, provided that SSL is enabled between the LDAP security adapter and the Active Directory server.	Yes, provided that the Active Directory client can establish a secure connection to the Active Directory server. This can be achieved by: Including all systems as part of a single Microsoft Windows domain forest By configuring SSL
Communication with more than one directory server.	See Communicating With More Than One Authentication Server.

Using the LDAP Security Adapter With Active Directory: Setting the Base DN

If you use the LDAP security adapter with Active Directory, problems can occur if you set the base distinguished name (Base DN), which specifies the root directory under which users are stored, to the root level of the Active Directory.

When the LDAP security adapter searches the Active Directory, it searches everything under the Base DN. If the Base DN is set to the Active Directory root, the LDAP security adapter searches all directory entities, including configuration and schema entities to which the application user does not have access, resulting in problems occurring. To avoid these problems, do not set the base DN to the Active Directory root directory; this recommendation also applies to implementations in which the ADSI security adapter performs the authentication function.

Communicating With More Than One Authentication Server

This topic describes the specific circumstances in which the LDAP and ADSI security adapters can connect to more than one directory server, either to authenticate users in more than one directory, or for failover purposes.

ADSI Security Adapter

The ADSI security adapter does not support authentication of users in different domains or forests and does not support Microsoft Global Catalog functionality. However, the ADSI security adapter can connect to multiple AD servers for authentication or failover purposes provided that the following conditions are met:

To enable the ADSI security adapter to connect to multiple AD servers, specify the NetBIOS name of the domain containing the Active Directory servers, instead of the name of a specific Active Directory server, for the Server Name parameter of the ADSI security adapter profile.

LDAP Security Adapter

The LDAP security adapter provided with Siebel Business Applications currently does not support communication with more than one directory server. However, the following options are available:

Siebel Security Guide		Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices.