1. <name> Ahmad Haghighi </name>
<e-mail> haghighi.ahmad@gmail.com </e-mail>
<date> Apr. 2014 </date>
<title>OpenLdap vs. Active Directory</title>
2. WHAT IS A DIRECTORY SERVICE?
A directory service is the software system that stores, organizes
and provides access to information in a directory.
In software engineering, a directory is a map between names and
values.
A Directory is organized and/or optimized for lookup, searching,
browsing and other ‘Read’ activities.
It allows the lookup of values given a name, similar to a dictionary.
In a directory, a name may be associated with multiple, different
pieces of information
3. DIRECTORYVS. DATABASE
Typically optimized for a very high ratio of searches to updates
Not suited for information that changes rapidly
Read-write ratio - LDAP is read optimized
Extensibility - LDAP schemas are more easily changed
Distribution - with LDAP data can be near where it is Needed
Different performance - databases are generally deployed for
limited amount of applications
4. WHAT IS LDAP?
LDAP=Lightweight Directory Access Protocol
BasedonX.500
Directory Service (RFC1777)
Stores attribute based data
Data generally read more than written
Client-server model
Based on entries
Collection of attributes
5. WHY USE LDAP?
Centrally manage users, groups and other data
Don’t have to manage separate directories for each application
Distribute management of data to appropriate people
Allow users to find data that they need
Authentication
Authorization
Auditing & Monitoring
6. SOME LDAPVENDORS
Fedora DS
OpenDS
OpenLDAP
Microsoft Active Directory
Sun
Novell
HP
CA
Red Hat
IBM
Lotus
8. SUPPORTED INTERNET STANDARD
OpenLdap is a Standard LDAP server and support more than 90
RFC
MS AD in comparison with other vendors support a few RFC’s
(about 10)
9. SUPPORTED PLATFORMS
AD -> only Windows Servers
OpenLdap -> all platforms
e.g. Darwin, FreeBSD, Linux, NetBSD, OpenBSD, Apple MacOS
X, IBM zOS, and MicrosoftWindows NT/2000/etc.
10. SIMPLE BIND BENCHMARK DATA
MS: AD 3214/second “simple bind” operations on the 100,000
entry 32-bit configuration and 3079/second on the 100,000 entry
64-bit configuration
HP: OpenLDAP delivered 12,800 to 13,600 authentications per
second (depending on model) for a 250,000 entry database
For the 3,000,000 user (entry) database:
AD: 32-bit and the 64-bit simple bind performance dips below
3,000/second to 2,997/second
OpenLdap: 13,043 and 13,639 authentications per second
For 5,000,000 users: OLdap: 13,700 authentications per second
OpenLDAP performance is probably in the range of four to eight times faster.
11. PERFORMANCE
The memory required for AD to store the entries appears to be
around three times that required for OpenLDAP
*this is extrapolating without direct measurements to compare
AD requires several times more memory and processor power
than OpenLDAP
12. EASE OF USE
AD is much easier to use and have pre designed schema and
policies (less flexibility)
In OpenLDAP admin must define every thing manually and from
base
13. QUERY LIMIT
AD has a default query limit of 10,000/1,000
Admin can change this value in configuration
For retrieving large amount of information we need paging
18. FINAL NOTE
This is a clear and unambiguous statement that AD fails to provide
the flexibility, extensibility, and other attributes needed to be a
true directory services technology. AD may be excellent as a NOS
directory, but this is an admission that it is NOT an LDAP directory.
It is a NOS directory that supports LDAP access to its data
There is no particular demand on most LDAP servers to run in any
mode or under a specific user ID or restrictions. AD is inflexible in
this and that means that experimental or educational instances are
difficult to use
20. REFERENCES
http://en.wikipedia.org/wiki/Directory_services
http://en.wikipedia.org/wiki/Ldap
http://en.wikipedia.org/wiki/Active_Directory
http://en.wikipedia.org/wiki/Openldap
“Assessment of Microsoft’s Active Directory Application Mode
(ADAM) as a Potential Enterprise DirectoryTechnology versus
OpenLDAP and Other LDAP Offerings”, Symas Corporation,
Version: 1.0, Published: October 2007
http://symas.com/documents/Adam-Eval1-0.pdf
21. REFERENCES
http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-
316dc821e3e7&DisplayLang=en
http://www.symas.com/benchmark.shtml
http://www.connexitor.com/blog/archives/archive_2007-m04.php#e130
http://www.connexitor.com/blog/archives/archive_2007-m04.php#e131
http://h71019.www7.hp.com/ActiveAnswers/cache/393495-0-0-0-121.html
How ADAM works: http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-
be424fd03cda1033.mspx?mfr=true
FAQ: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx
AD Schema reference: http://technet2.microsoft.com/windowsserver/en/library/97cae647-d996-48ff-b478-
c96193abeadb1033.mspx?mfr=true
SANS Institute Internet Storm Center for Port 135: http://isc.sans.org/port.html?port=135