1.4 Key Differences Between the DSfW LDAP Server and the eDirectory Server

Table 1-1 Comparison of DSfW LDAP server and eDirectory server


DSfW LDAP Server

eDirectory Server

LDAP Operations like Search and Modify

Uses Domain Name format. For example: dc=eng, dc= novell.

Uses X.500 format. For example: ou=eng, o=novell.


When DSfW server is configured LDAP requests, such as Search and Modify, to a DSfW server on port 389 or 636 uses domain name format instead of eDirectory X.500 format. LDAP ports 1389 and 1636 are enabled to support LDAP requests using the traditional X.500 format and to behave as eDirectory ports.

eDirectory uses ports 389 and 636 for communication purposes. The format used is X.500.

Semantic Controls

LDAP requests along with LDAP semantic controls (2.16.840.1.113719.1.513.4.5) allow LDAP requests to select X.500 or the domain format.

No support for semantic controls

Schema Addition

Attribute and class mappings are changed for some object classes. For example, User and Group object classes are mapped to user and group; server is mapped to ndsServer User and Group object classes are extended to hold additional Active Directory attributes. For more information, Attribute Mappings and Class Mappings.



Search and Modify, to a DSfW server on port 389 or 636 return only those objects that exist in the partition and do not search beyond the partition boundary. An LDAP referral is returned, but if the calling LDAP application does not support referrals, it fails to search beyond the partition boundary. A search request on global catalog ports (3268, 3269) spans partition boundaries and searches the entire forest. The result set contains only the attributes marked as Partial Attribute Set (PAS).

The search spans across partitions.

Multiple Instances

Not supported.


Support for NT ACLs

No support for NT ACLs.

Directory objects are protected by proven eDirectory ACLs.

Domain Partition

Every DSfW server has a unique domain partition (required by the Active Directory security model).

No concept of domain partition.

For both DSfW server and LDAP server, login authorization and auditing is performed by using NMAS. Data on the wire is encrypted as mandated by the workstations. All keys, including Kerberos and NTLM, are encrypted by using a per attribute NICI key.