<name> Ahmad Haghighi </name><e-mail> haghighi.ahmad@gmail.com </e-mail>

<date> Apr. 2014 </date>

<title>OpenLdap vs. Active Directory</title>

WHAT IS A DIRECTORY SERVICE?

A directory service is the software system that stores, organizes and provides access to information in a directory.

In software engineering, a directory is a map between names and values.

A Directory is organized and/or optimized for lookup, searching, browsing and other ‘Read’ activities.

It allows the lookup of values given a name, similar to a dictionary.

In a directory, a name may be associated with multiple, different pieces of information

DIRECTORY VS. DATABASE

Typically optimized for a very high ratio of searches to updates

Not suited for information that changes rapidly Read-write ratio - LDAP is read optimized Extensibility - LDAP schemas are more easily changed

Distribution - with LDAP data can be near where it is Needed

Different performance - databases are generally deployed for limited amount of applications

WHAT IS LDAP?

LDAP=Lightweight Directory Access Protocol BasedonX.500 Directory Service (RFC1777) Stores attribute based data Data generally read more than written Client-server model Based on entries Collection of attributes

WHY USE LDAP?

Centrally manage users, groups and other data Don’t have to manage separate directories for each application

Distribute management of data to appropriate people

Allow users to find data that they need Authentication Authorization Auditing & Monitoring

SOME LDAP VENDORS

Fedora DS OpenDS OpenLDAP

Microsoft Active Directory Sun Novell HP CA Red Hat IBM Lotus

COMPARISONBased on some common features

SUPPORTED INTERNET STANDARD OpenLdap is a Standard LDAP server and support more than 90 RFC

MS AD in comparison with other vendors support a few RFC’s (about 10)

SUPPORTED PLATFORMS

AD -> only Windows Servers

OpenLdap -> all platforms e.g. Darwin, FreeBSD, Linux, NetBSD, OpenBSD, Apple MacOS X, IBM zOS, and Microsoft Windows NT/2000/etc.

SIMPLE BIND BENCHMARK DATA

MS: AD 3214/second “simple bind” operations on the 100,000 entry 32-bit configuration and 3079/second on the 100,000 entry 64-bit configuration

HP: OpenLDAP delivered 12,800 to 13,600 authentications per second (depending on model) for a 250,000 entry database

For the 3,000,000 user (entry) database:AD: 32-bit and the 64-bit simple bind performance dips below 3,000/second to 2,997/secondOpenLdap: 13,043 and 13,639 authentications per second

For 5,000,000 users: OLdap: 13,700 authentications per second

OpenLDAP performance is probably in the range of four to eight times faster.

PERFORMANCE

The memory required for AD to store the entries appears to be around three times that required for OpenLDAP*this is extrapolating without direct measurements to compare

AD requires several times more memory and processor power than OpenLDAP

EASE OF USE

AD is much easier to use and have pre designed schema and policies (less flexibility)

In OpenLDAP admin must define every thing manually and from base

QUERY LIMIT

AD has a default query limit of 10,000/1,000 Admin can change this value in configuration For retrieving large amount of information we need paging

PROMINENT LIMITATIONS OF ADAM

Neither the LDAP standard nor the OpenLDAP product imposes any of the limitations described next

SCHEMA LIMITATIONS

# Page 19

Attribute Character Length Attribute Value Limits Relative Distinguished Names OU Limitations Distinguished Name Syntax Attributes Objectclass and Attribute Definitions

DATA ACCESS LIMITATIONS

# Page 21

Anonymous Binding Access Control

PERFORMANCE LIMITATIONS

# Page 21

Indexing Caching

FINAL NOTE

This is a clear and unambiguous statement that AD fails to provide the flexibility, extensibility, and other attributes needed to be a true directory services technology. AD may be excellent as a NOS directory, but this is an admission that it is NOT an LDAP directory. It is a NOS directory that supports LDAP access to its data

There is no particular demand on most LDAP servers to run in any mode or under a specific user ID or restrictions. AD is inflexible in this and that means that experimental or educational instances are difficult to use

Q&A

REFERENCES

http://en.wikipedia.org/wiki/Directory_services http://en.wikipedia.org/wiki/Ldap http://en.wikipedia.org/wiki/Active_Directory http://en.wikipedia.org/wiki/Openldap “Assessment of Microsoft’s Active Directory Application Mode (ADAM) as a Potential Enterprise Directory Technology versus OpenLDAP and Other LDAP Offerings”, Symas Corporation, Version: 1.0, Published: October 2007http://symas.com/documents/Adam-Eval1-0.pdf

REFERENCES

http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7&DisplayLang=en

http://www.symas.com/benchmark.shtml http://www.connexitor.com/blog/archives/archive_2007-m04.php#e130 http://www.connexitor.com/blog/archives/archive_2007-m04.php#e131 http://h71019.www7.hp.com/ActiveAnswers/cache/393495-0-0-0-121.html How ADAM works: http://

technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true

FAQ: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx AD Schema reference: http://

technet2.microsoft.com/windowsserver/en/library/97cae647-d996-48ff-b478-c96193abeadb1033.mspx?mfr=true

SANS Institute Internet Storm Center for Port 135: http://isc.sans.org/port.html?port=135

tnx ;)