Hi Martin,
We've mixed and matched our LDAP and AD authentication, based on necessity, rather than savings in technology. We use Novell IDM to populate both services, so our user accounts and group information is always in sync.
We've found LDAP to be more flexible, inasmuch as the schema's easier to change and putting the system behind a load balancer has, in general, been easier than with AD. With LDAP not being a true domain, it means we can inject extra accounts, that we wouldn't want in the production domain for security reasons.
That's not to say there's anything wrong with AD, we've just tried to keep that fairly Microsoft centric, rather than make it all things to all men.
Your mileage may vary! :-)
Regards,
Richard
t: +44 (0) 115 95 15895
x: 15895
-----Original Message-----
From: Support issues for windows in UK HE & FE [mailto:[log in to unmask]] On Behalf Of WINDOWS-UK automatic digest system
Sent: 24 October 2014 00:08
To: [log in to unmask]
Subject: WINDOWS-UK Digest - 21 Oct 2014 to 23 Oct 2014 (#2014-41)
There is 1 message totaling 61 lines in this issue.
Topics of the day:
1. AD LDAP vs OpenLDAP
----------------------------------------------------------------------
Date: Thu, 23 Oct 2014 12:14:20 +0100
From: Martin Radford <[log in to unmask]>
Subject: AD LDAP vs OpenLDAP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
We currently have an Active Directory domain which we use for doing Windows-y things (and which a few services use for LDAP authentication); and an OpenLDAP-based service which was used initially to replace an X.500 server (many years ago) and is being used increasingly by Unix/Linux systems to retrieve UID/GID information.
The Unix/Linux teams are keen to make more use of LDAP lookups and use it for more systems, and are looking at specifying new hardware to augment the service.
Management are asking whether we need a separate OpenLDAP-based service, given that we have AD, and AD provides LDAP services itself.
I was wondering what other UK universities are doing on this point, and (if you were to start again) would you take the same approach?
My main concerns are:
(1) We've historically been reluctant to do anything to extend the AD schema beyond those extensions provided by Microsoft, due to the risk of it causing support issues further down the line; whereas the OpenLDAP service has various custom schema changes to accommodate the requirements of some of our other services.
(2) I worry that as AD provides most authentication services, if something happened to cause it to be hammered with LDAP requests from misbehaving services it would have a detrimental affect on our Windows systems that are "just" using the standard AD services.
Is there anything else I should consider?
Martin
- --
Martin Radford ([log in to unmask]) Systems and Operations Team IT Services University of Bristol
PGP keyID: 5D2D92E9
PGP fingerprint: 137E 0277 9D78 7447 71D0 BB3D C20D BB9A 5D2D 92E9 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
iD8DBQFUSOMMwg27ml0tkukRAoHlAKDmtNGuHt5PDKPhmT2MgsrfLnWAAwCdG1Fx
CAJA0MN4tuFEEvsQoR1OIjE=
=6UUs
-----END PGP SIGNATURE-----
------------------------------
End of WINDOWS-UK Digest - 21 Oct 2014 to 23 Oct 2014 (#2014-41)
****************************************************************
|