<name> Ahmad Haghighi </name> <e-mail> [email protected] </e-mail> <date> Apr. 2014 </date> <title>OpenLdap vs. Active Directory</title>
<name> Ahmad Haghighi </name><e-mail> [email protected] </e-mail>
<date> Apr. 2014 </date>
<title>OpenLdap vs. Active Directory</title>
WHAT IS A DIRECTORY SERVICE?
A directory service is the software system that stores, organizes and provides access to information in a directory.
In software engineering, a directory is a map between names and values.
A Directory is organized and/or optimized for lookup, searching, browsing and other ‘Read’ activities.
It allows the lookup of values given a name, similar to a dictionary.
In a directory, a name may be associated with multiple, different pieces of information
DIRECTORY VS. DATABASE
Typically optimized for a very high ratio of searches to updates
Not suited for information that changes rapidly Read-write ratio - LDAP is read optimized Extensibility - LDAP schemas are more easily changed
Distribution - with LDAP data can be near where it is Needed
Different performance - databases are generally deployed for limited amount of applications
WHAT IS LDAP?
LDAP=Lightweight Directory Access Protocol BasedonX.500 Directory Service (RFC1777) Stores attribute based data Data generally read more than written Client-server model Based on entries Collection of attributes
WHY USE LDAP?
Centrally manage users, groups and other data Don’t have to manage separate directories for each application
Distribute management of data to appropriate people
Allow users to find data that they need Authentication Authorization Auditing & Monitoring
SOME LDAP VENDORS
Fedora DS OpenDS OpenLDAP
Microsoft Active Directory Sun Novell HP CA Red Hat IBM Lotus
COMPARISONBased on some common features
SUPPORTED INTERNET STANDARD OpenLdap is a Standard LDAP server and support more than 90 RFC
MS AD in comparison with other vendors support a few RFC’s (about 10)
SUPPORTED PLATFORMS
AD -> only Windows Servers
OpenLdap -> all platforms e.g. Darwin, FreeBSD, Linux, NetBSD, OpenBSD, Apple MacOS X, IBM zOS, and Microsoft Windows NT/2000/etc.
SIMPLE BIND BENCHMARK DATA
MS: AD 3214/second “simple bind” operations on the 100,000 entry 32-bit configuration and 3079/second on the 100,000 entry 64-bit configuration
HP: OpenLDAP delivered 12,800 to 13,600 authentications per second (depending on model) for a 250,000 entry database
For the 3,000,000 user (entry) database:AD: 32-bit and the 64-bit simple bind performance dips below 3,000/second to 2,997/secondOpenLdap: 13,043 and 13,639 authentications per second
For 5,000,000 users: OLdap: 13,700 authentications per second
OpenLDAP performance is probably in the range of four to eight times faster.
PERFORMANCE
The memory required for AD to store the entries appears to be around three times that required for OpenLDAP*this is extrapolating without direct measurements to compare
AD requires several times more memory and processor power than OpenLDAP
EASE OF USE
AD is much easier to use and have pre designed schema and policies (less flexibility)
In OpenLDAP admin must define every thing manually and from base
QUERY LIMIT
AD has a default query limit of 10,000/1,000 Admin can change this value in configuration For retrieving large amount of information we need paging
PROMINENT LIMITATIONS OF ADAM
Neither the LDAP standard nor the OpenLDAP product imposes any of the limitations described next
SCHEMA LIMITATIONS
# Page 19
Attribute Character Length Attribute Value Limits Relative Distinguished Names OU Limitations Distinguished Name Syntax Attributes Objectclass and Attribute Definitions
DATA ACCESS LIMITATIONS
# Page 21
Anonymous Binding Access Control
PERFORMANCE LIMITATIONS
# Page 21
Indexing Caching
FINAL NOTE
This is a clear and unambiguous statement that AD fails to provide the flexibility, extensibility, and other attributes needed to be a true directory services technology. AD may be excellent as a NOS directory, but this is an admission that it is NOT an LDAP directory. It is a NOS directory that supports LDAP access to its data
There is no particular demand on most LDAP servers to run in any mode or under a specific user ID or restrictions. AD is inflexible in this and that means that experimental or educational instances are difficult to use
Q&A
REFERENCES
http://en.wikipedia.org/wiki/Directory_services http://en.wikipedia.org/wiki/Ldap http://en.wikipedia.org/wiki/Active_Directory http://en.wikipedia.org/wiki/Openldap “Assessment of Microsoft’s Active Directory Application Mode (ADAM) as a Potential Enterprise Directory Technology versus OpenLDAP and Other LDAP Offerings”, Symas Corporation, Version: 1.0, Published: October 2007http://symas.com/documents/Adam-Eval1-0.pdf
REFERENCES
http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7&DisplayLang=en
http://www.symas.com/benchmark.shtml http://www.connexitor.com/blog/archives/archive_2007-m04.php#e130 http://www.connexitor.com/blog/archives/archive_2007-m04.php#e131 http://h71019.www7.hp.com/ActiveAnswers/cache/393495-0-0-0-121.html How ADAM works: http://
technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true
FAQ: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx AD Schema reference: http://
technet2.microsoft.com/windowsserver/en/library/97cae647-d996-48ff-b478-c96193abeadb1033.mspx?mfr=true
SANS Institute Internet Storm Center for Port 135: http://isc.sans.org/port.html?port=135
tnx ;)