Open LDAP vs. Active Directory
Download as PPTX, PDF4 likes4,810 views
This document compares the directory services OpenLDAP and Active Directory (AD). It finds that OpenLDAP supports more LDAP standards, runs on more platforms, and has significantly better performance than AD, particularly for large user databases. While AD may be easier to use initially, OpenLDAP provides more flexibility, extensibility, and lacks the limitations of AD around schema, data access, indexing, and caching. In conclusion, the document states that while AD excels as a proprietary directory, OpenLDAP is a true standards-compliant LDAP directory.
Open LDAP vs. Active Directory
- 1. <name> Ahmad Haghighi </name> <e-mail> haghighi.ahmad@gmail.com </e-mail> <date> Apr. 2014 </date> <title>OpenLdap vs. Active Directory</title>
- 2. WHAT IS A DIRECTORY SERVICE? A directory service is the software system that stores, organizes and provides access to information in a directory. In software engineering, a directory is a map between names and values. A Directory is organized and/or optimized for lookup, searching, browsing and other ‘Read’ activities. It allows the lookup of values given a name, similar to a dictionary. In a directory, a name may be associated with multiple, different pieces of information
- 3. DIRECTORYVS. DATABASE Typically optimized for a very high ratio of searches to updates Not suited for information that changes rapidly Read-write ratio - LDAP is read optimized Extensibility - LDAP schemas are more easily changed Distribution - with LDAP data can be near where it is Needed Different performance - databases are generally deployed for limited amount of applications
- 4. WHAT IS LDAP? LDAP=Lightweight Directory Access Protocol BasedonX.500 Directory Service (RFC1777) Stores attribute based data Data generally read more than written Client-server model Based on entries Collection of attributes
- 5. WHY USE LDAP? Centrally manage users, groups and other data Don’t have to manage separate directories for each application Distribute management of data to appropriate people Allow users to find data that they need Authentication Authorization Auditing & Monitoring
- 6. SOME LDAPVENDORS Fedora DS OpenDS OpenLDAP Microsoft Active Directory Sun Novell HP CA Red Hat IBM Lotus
- 7. COMPARISON Based on some common features
- 8. SUPPORTED INTERNET STANDARD OpenLdap is a Standard LDAP server and support more than 90 RFC MS AD in comparison with other vendors support a few RFC’s (about 10)
- 9. SUPPORTED PLATFORMS AD -> only Windows Servers OpenLdap -> all platforms e.g. Darwin, FreeBSD, Linux, NetBSD, OpenBSD, Apple MacOS X, IBM zOS, and MicrosoftWindows NT/2000/etc.
- 10. SIMPLE BIND BENCHMARK DATA MS: AD 3214/second “simple bind” operations on the 100,000 entry 32-bit configuration and 3079/second on the 100,000 entry 64-bit configuration HP: OpenLDAP delivered 12,800 to 13,600 authentications per second (depending on model) for a 250,000 entry database For the 3,000,000 user (entry) database: AD: 32-bit and the 64-bit simple bind performance dips below 3,000/second to 2,997/second OpenLdap: 13,043 and 13,639 authentications per second For 5,000,000 users: OLdap: 13,700 authentications per second OpenLDAP performance is probably in the range of four to eight times faster.
- 11. PERFORMANCE The memory required for AD to store the entries appears to be around three times that required for OpenLDAP *this is extrapolating without direct measurements to compare AD requires several times more memory and processor power than OpenLDAP
- 12. EASE OF USE AD is much easier to use and have pre designed schema and policies (less flexibility) In OpenLDAP admin must define every thing manually and from base
- 13. QUERY LIMIT AD has a default query limit of 10,000/1,000 Admin can change this value in configuration For retrieving large amount of information we need paging
- 14. PROMINENT LIMITATIONS OF ADAM Neither the LDAP standard nor the OpenLDAP product imposes any of the limitations described next
- 15. SCHEMA LIMITATIONS # Page 19 Attribute Character Length AttributeValue Limits Relative Distinguished Names OU Limitations Distinguished Name Syntax Attributes Objectclass and Attribute Definitions
- 16. DATA ACCESS LIMITATIONS # Page 21 Anonymous Binding Access Control
- 17. PERFORMANCE LIMITATIONS # Page 21 Indexing Caching
- 18. FINAL NOTE This is a clear and unambiguous statement that AD fails to provide the flexibility, extensibility, and other attributes needed to be a true directory services technology. AD may be excellent as a NOS directory, but this is an admission that it is NOT an LDAP directory. It is a NOS directory that supports LDAP access to its data There is no particular demand on most LDAP servers to run in any mode or under a specific user ID or restrictions. AD is inflexible in this and that means that experimental or educational instances are difficult to use
- 19. Q&A
- 20. REFERENCES http://en.wikipedia.org/wiki/Directory_services http://en.wikipedia.org/wiki/Ldap http://en.wikipedia.org/wiki/Active_Directory http://en.wikipedia.org/wiki/Openldap “Assessment of Microsoft’s Active Directory Application Mode (ADAM) as a Potential Enterprise DirectoryTechnology versus OpenLDAP and Other LDAP Offerings”, Symas Corporation, Version: 1.0, Published: October 2007 http://symas.com/documents/Adam-Eval1-0.pdf
- 21. REFERENCES http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0- 316dc821e3e7&DisplayLang=en http://www.symas.com/benchmark.shtml http://www.connexitor.com/blog/archives/archive_2007-m04.php#e130 http://www.connexitor.com/blog/archives/archive_2007-m04.php#e131 http://h71019.www7.hp.com/ActiveAnswers/cache/393495-0-0-0-121.html How ADAM works: http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2- be424fd03cda1033.mspx?mfr=true FAQ: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx AD Schema reference: http://technet2.microsoft.com/windowsserver/en/library/97cae647-d996-48ff-b478- c96193abeadb1033.mspx?mfr=true SANS Institute Internet Storm Center for Port 135: http://isc.sans.org/port.html?port=135
- 22. tnx ;)