It runs on any platform and is free!
OpenLDAP's biggest strength compared to other LDAP server options is the fact that it can be run on any operating system platform. This strength is tempered by the fact that the entire solution is free. Because the product is free, the support model is not formal; but OpenLDAP provides open interaction with the developers, which can be better than formal support.
You have an active part in what you implement, instead of being at the mercy of a cold vendor
Another key strength of OpenLDAP is an openly available code base that you can modify. This strength lends itself to other benefits. For example, you can obtain greater control of performance because you can get closer to the code. Another example is the high degree of interchangeable components that OpenLDAP supports. Being able to choose components like a database is a significant benefit. No other LDAP vendor allows this kind of choice. Another benefit is that you can pool development resources with other organizations to get a commonly desired feature
implemented.
A diverse choice of security features is nice
The diversity of security features that OpenLDAP offers is useful. In particular, the variety of access control factors is impressive, when compared to a product that implements only a traditional ACL model. But this strength is marred by the service interruption issue, which hopefully will be addressed in the future.
OpenLDAP is riding a wave of intangibles
A number of intangibles also fall in OpenLDAP's favor. For example, primary contributors to the code have key roles in the current IETF LDAP working groups. OpenLDAP has a sense of historical
familiarity. The University of Michigan package was widely used by organizations when LDAP was emerging, and many administrators are familiar with slapd already. OpenLDAP comes with the Red Hat Linux distribution, and many organizations are introduced to it in this way. Finally, OpenLDAP follows the standards closely, which means that long-term stability and interoperability are more assured.
The special features don't compare well
On the negative side, the special features that OpenLDAP provides aren't at all impressive compared to those of other LDAP servers. Some of the basic features that nearly every package provides, such as server-side sorting of search results (RFC 2891), haven't been implemented.
Inclusion of extra functionality lags behind and may continue to lag behind because of the voluntary nature of development. The adage "you get what you pay for" closely fits the comparison of feature sets.
OpenLDAP is a quality package that many organizations are using
Although it may be cheap in cost, OpenLDAP isn't cheap in quality. The package is extremely resilient and dependable. The developers are constantly looking for ways to improve performance, dependability, and security. One can check the mailing list archives and read about many large deployments that have little or no problems running over long periods of time.
[ Team LiB ]
[ Team LiB ]
Chapter 7. Microsoft Active Directory
Microsoft is among several vendors who have implemented LDAP in the context of supporting a network operating system. Microsoft's Active Directory (AD) uses LDAP to support its directory technology, so a Windows enterprise network has basic directory functionality in addition to many cool management features. Active Directory is a huge step for Microsoft because it is a departure from the company's traditional model of employing proprietary technology. It is nice to see Microsoft instead use open standards as the basis of products.
AD requires the Windows platform
Active Directory supplies primarily Windows 2000 or newer Windows platform functionality, so this chapter digresses at times to explain basic Windows concepts. This tight reliance on the Windows Server platform makes Active Directory less attractive as an LDAP server solution. Many
organizations prefer to choose their server platform. After all, one of the biggest strengths of LDAP is its cross-platform integration. However, the LDAP directory underlying Active Directory does interoperate with any cross-platform client, just as it should. Non-Windows LDAP clients can still fully interact with Active Directory entries. Just the advanced features of Active Directory are limited to Windows clients.
AD offers several advanced features that promise to lower management costs
These advanced features, as well as the tight integration with Windows clients, are attractive. The ability to automate software distribution to client computers, integrate public certificate
management, and have network documents intelligently synchronized for a roaming laptop user are among the features that Active Directory offers to Windows clients only. Other notable features include people-friendly LDAP client integration for Windows clients and an impressive number of extensions to the LDAP server functionality via LDAP controls.
[ Team LiB ]
[ Team LiB ]
Namespace
An NT4 domain directory offers only authentication
An NT4 domain directory consists of only user, computer, and group entries and is limited to authentication and authorization services. By participating in a Windows NT domain, a computer or user trusts the domain to provide authentication services. Belonging to the domain means you can use the entries in the NT4 domain's directory to control access to your computer and to network resources.
The flat namespace of NT4 is problematic
A Windows NT4 domain directory, which is based on the Netbios protocol, has a flat structure with only a single container. This flat namespace leads to many problems with naming conflicts, with administrators having to support both the native Netbios resolution and the Internet standard DNS resolution. Other problems include limitations on the number of objects in the directory. The NT4 domain directory also did not support LDAP, and interaction with the directory was limited to proprietary methods. This limitation meant that cross-platform integration was difficult.
Active Directory offers authentication, directory, and name resolution services and also provides backward compatibility
In transitioning to Active Directory, Microsoft needed to drastically change much of the underlying technology while still providing backward compatibility to NT4 domains. Active Directory still offers authentication services, both the preexisting authentication services as well as Kerberos
authentication. But the support for this activity is now an LDAP directory that is fully hierarchical.
The directory is not limited to user, computer, and group entries. In addition to offering authentication and directory services, Active Directory can offer DNS name resolution services without Netbios support. Netbios is still supported for backward compatibility, but it isn't required if that compatibility isn't needed.
DNS
Microsoft transitioned from a flat namespace to a hierarchical one by implementing RFC 2247 With Active Directory, Microsoft implemented a DNS-based namespace along with LDAP's
hierarchical namespace. RFC 2247 is implemented in Active Directory to provide a close tie between LDAP and DNS. For more details, see the following section, Directory Namespace; for now, focus on the fact that the services supporting each Active Directory domain partition require a DNS zone of their own.