This document compares the directory services OpenLDAP and Active Directory (AD). It finds that OpenLDAP supports more LDAP standards, runs on more platforms, and has significantly better performance than AD, particularly for large user databases. While AD may be easier to use initially, OpenLDAP provides more flexibility, extensibility, and lacks the limitations of AD around schema, data access, indexing, and caching. In conclusion, the document states that while AD excels as a proprietary directory, OpenLDAP is a true standards-compliant LDAP directory.

1. <name> Ahmad Haghighi </name>
<e-mail> haghighi.ahmad@gmail.com </e-mail>
<date> Apr. 2014 </date>
<title>OpenLdap vs. Active Directory</title>

2. WHAT IS A DIRECTORY SERVICE?
 A directory service is the software system that stores, organizes
and provides access to information in a directory.
 In software engineering, a directory is a map between names and
values.
 A Directory is organized and/or optimized for lookup, searching,
browsing and other ‘Read’ activities.
 It allows the lookup of values given a name, similar to a dictionary.
 In a directory, a name may be associated with multiple, different
pieces of information

3. DIRECTORYVS. DATABASE
 Typically optimized for a very high ratio of searches to updates
 Not suited for information that changes rapidly
 Read-write ratio - LDAP is read optimized
 Extensibility - LDAP schemas are more easily changed
 Distribution - with LDAP data can be near where it is Needed
 Different performance - databases are generally deployed for
limited amount of applications

4. WHAT IS LDAP?
 LDAP=Lightweight Directory Access Protocol
 BasedonX.500
 Directory Service (RFC1777)
 Stores attribute based data
 Data generally read more than written
 Client-server model
 Based on entries
 Collection of attributes

5. WHY USE LDAP?
 Centrally manage users, groups and other data
 Don’t have to manage separate directories for each application
 Distribute management of data to appropriate people
 Allow users to find data that they need
 Authentication
 Authorization
 Auditing & Monitoring

6. SOME LDAPVENDORS
 Fedora DS
 OpenDS
 OpenLDAP
 Microsoft Active Directory
 Sun
 Novell
 HP
 CA
 Red Hat
 IBM
 Lotus

7. COMPARISON
Based on some common features

8. SUPPORTED INTERNET STANDARD
 OpenLdap is a Standard LDAP server and support more than 90
RFC
 MS AD in comparison with other vendors support a few RFC’s
(about 10)

9. SUPPORTED PLATFORMS
 AD -> only Windows Servers
 OpenLdap -> all platforms
 e.g. Darwin, FreeBSD, Linux, NetBSD, OpenBSD, Apple MacOS
X, IBM zOS, and MicrosoftWindows NT/2000/etc.

10. SIMPLE BIND BENCHMARK DATA
 MS: AD 3214/second “simple bind” operations on the 100,000
entry 32-bit configuration and 3079/second on the 100,000 entry
64-bit configuration
 HP: OpenLDAP delivered 12,800 to 13,600 authentications per
second (depending on model) for a 250,000 entry database
 For the 3,000,000 user (entry) database:
AD: 32-bit and the 64-bit simple bind performance dips below
3,000/second to 2,997/second
OpenLdap: 13,043 and 13,639 authentications per second
 For 5,000,000 users: OLdap: 13,700 authentications per second
OpenLDAP performance is probably in the range of four to eight times faster.

11. PERFORMANCE
 The memory required for AD to store the entries appears to be
around three times that required for OpenLDAP
*this is extrapolating without direct measurements to compare
 AD requires several times more memory and processor power
than OpenLDAP

12. EASE OF USE
 AD is much easier to use and have pre designed schema and
policies (less flexibility)
 In OpenLDAP admin must define every thing manually and from
base

13. QUERY LIMIT
 AD has a default query limit of 10,000/1,000
 Admin can change this value in configuration
 For retrieving large amount of information we need paging

14. PROMINENT LIMITATIONS OF
ADAM
Neither the LDAP standard nor the OpenLDAP product imposes any of the limitations described next

15. SCHEMA LIMITATIONS
 # Page 19
 Attribute Character Length
 AttributeValue Limits
 Relative Distinguished Names
 OU Limitations
 Distinguished Name Syntax Attributes
 Objectclass and Attribute Definitions

16. DATA ACCESS LIMITATIONS
 # Page 21
 Anonymous Binding
 Access Control

17. PERFORMANCE LIMITATIONS
 # Page 21
 Indexing
 Caching

18. FINAL NOTE
This is a clear and unambiguous statement that AD fails to provide
the flexibility, extensibility, and other attributes needed to be a
true directory services technology. AD may be excellent as a NOS
directory, but this is an admission that it is NOT an LDAP directory.
It is a NOS directory that supports LDAP access to its data
There is no particular demand on most LDAP servers to run in any
mode or under a specific user ID or restrictions. AD is inflexible in
this and that means that experimental or educational instances are
difficult to use

19. Q&A

20. REFERENCES
 http://en.wikipedia.org/wiki/Directory_services
 http://en.wikipedia.org/wiki/Ldap
 http://en.wikipedia.org/wiki/Active_Directory
 http://en.wikipedia.org/wiki/Openldap
 “Assessment of Microsoft’s Active Directory Application Mode
(ADAM) as a Potential Enterprise DirectoryTechnology versus
OpenLDAP and Other LDAP Offerings”, Symas Corporation,
Version: 1.0, Published: October 2007
http://symas.com/documents/Adam-Eval1-0.pdf

21. REFERENCES
 http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-
316dc821e3e7&DisplayLang=en
 http://www.symas.com/benchmark.shtml
 http://www.connexitor.com/blog/archives/archive_2007-m04.php#e130
 http://www.connexitor.com/blog/archives/archive_2007-m04.php#e131
 http://h71019.www7.hp.com/ActiveAnswers/cache/393495-0-0-0-121.html
 How ADAM works: http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-
be424fd03cda1033.mspx?mfr=true
 FAQ: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx
 AD Schema reference: http://technet2.microsoft.com/windowsserver/en/library/97cae647-d996-48ff-b478-
c96193abeadb1033.mspx?mfr=true
 SANS Institute Internet Storm Center for Port 135: http://isc.sans.org/port.html?port=135

22. tnx ;)