Active Directory vs OpenLDAP

Question

What are the main diffrences between these two implementations of LDAP protocol? Which is better for heterogenous environment? Any good websites about this topic?

Answer 1

Here are some differences I know off the top of my head. OpenLDAP could be called a generic LDAP server similar to many other vendor's LDAP servers (Fedora DS 389, Oracle Internet Directory, IBM Tivoli Directory Server). Active Directory is a bit more customized for a Microsoft product suite (ie: running a Microsoft domain). There are pros and cons of each.

OpenLDAP is empty after installation and has no structure (called a DIT). It doesn't even have a root entry out of the box. AD is going to ship with a basic structure and has the GUI tools ready for you to start populating users. OpenLDAP and others expect you to create the DIT by hand so you'll have to design a structure. So you'll have to plan out where you're going to put your users, groups, roles and think about ACLs or branch delegation if your project involves things like that. For example you might have a domain for widgets.com. In AD the shipped structure will look something like this:

+ dc=widgets,dc=com |-- cn=Computers |-- cn=Users |-- cn=Groups 

In OpenLDAP (or other vanilla implementations), you can design your DIT in many ways. You can follow the domain component (dc=foo,dc=bar) convention or you can use something organized by geographic region (o=foo,c=bar). It doesn't matter a whole lot but you should go with one or the other. AD uses the DC convention and doesn't give you a choice but other LDAP servers can follow either convention. If you're trying to fit into a big MS domain, I'd stick with DC convention for consistency and ease of integration. But for this example we'll pretend our company organization (o) in one country (c) with no regions or units (ou):

+ o=widgets,c=us |-- cn=Machines |-- cn=People |-- cn=Groups |-- cn=Roles 

Then you can extend your schema if need be. If you want to extend your AD schema, AD will require you to add schema elements via the Active Directory Schema Editor MMC console plugin (make a custom MMC). After that, it's pretty straightforward. Define your attributes first and then your objectclasses. OpenLDAP requires you to write an LDIF (also requires attributes first and then objectclasses). Or use Apache Directory Studio with OpenLDAP which is an awesome GUI and admin tool and makes OpenLDAP near-AD ease of use.

AD doesn't let you query everything on 389 anonymously. If you want to get schema information (called the catalog) you have to query on 3289 and authenticate. This reminds me of LDAP's DIB vs DIT hiding but I don't know if AD is trying to do the same thing here.

AD has a default query limit of 10,000. If you want to suck down everything in one shot you have to use paging controls on your client or in your code or modify the default query limit on the domain controller you are searching. Note that paging controls can be problematic. I'd gotten them to work in java using the Netscape libraries but some LDAP clients don't seem to work correctly even though they claim they support paging controls (YMMV).

AD's authentication is a little strange. You can authenticate as an email formatted username (-D username@domain) or you can use the full user DN. If there's a way to do this in OpenLDAP, I don't know how to do it but I wouldn't bother. This is odd compared to other LDAP servers. Plain LDAP usually follow the DN format (cn=username,cn=Users,o=widgets,c=us).

I guess in short, AD is opinionated and OpenLDAP is generic. And because of that, AD is easy to stand up but OpenLDAP can be more flexible.

Answer 2

For hetrogenous environments you want to use a general-purpose server such as OpenLDAP. The advantage of AD usually is that it already contains user accounts for your internal users - these can be kept in synch with separate LDAP server though this adds complexity.

As far as specifics of the protocol go, the docs for Oracle Virtual Directory have a pretty good summary. (OVD is a product that can be used to proxy AD and translate some of its quirks into a more standard interface.):

http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG

Ranging Attributes Attributes in Active Directory and ADAM with more then 1000 values are returned 1000 at a time with a name that includes the range of values that were returned (or 1500 for Windows 2003). The range is returned to the client in the form: member;1-1000: somevalue In order to get the next thousand entries, the client application must somehow know to repeat the query and request the attribute member;1001-2000. This requires applications to handle Microsoft Active Directory in a special way compared to other directory products.

Password Updates Microsoft Active Directory and ADAM have special rules around how the password of a user may be updated by using LDAP:

• Passwords may only be updated via secure SSL connection.
• If a user is updating their own password, the original password must be included in a modify delete with the new password being a modify add in the same modify operation.
• Only an administrator may reset the password of a user without knowing the previous password.
• Active Directroy does not use the userPassword attribute, it uses the unicodePwd attribute (which is quoted-UTF16-hex-padded-base64 encoded).

ObjectClass Mapping Most LDAP directories use the inetOrgPerson and groupOfUniqueNames object classes for users and groups. Microsoft Active Directory uses the user and group objectClasses with attributes specific to Active Directory NOS requirements of Microsoft."

These are some of the main ones but there are others.