AD Vs OpenLDAP™ Vs Directory-as-a-Service®

By Greg Keller Posted November 14, 2016

IT organizations today are facing some new challenges. With the move to cloud infrastructure (e.g. AWS, Azure, etc.), SaaS-based applications (Workday, Box, Salesforce, and others), shift to Office 365 and Google Apps, and mixed-platform environments (Mac, Linux, iOS, and Android), IT admins are wondering how to control user access across all of these disparate platforms.

While traditional identity management solutions have been struggling with these problems, new identity and access solutions approach the problem differently.

As organizations delve deeper into the IAM world, they are faced with three choices: AD, OpenLDAP, or Directory-as-a-Service.

How to Decide the Winner

AD, OpenLDAP, or Directory-as-a-Service

The choice for the right directory services platform often depends on the IT environment that currently exists as well as the future scope. Identity and access management solutions are not solutions that IT admins like to replace on a yearly basis, so giving some thought on which way to go for a period of time is crucial. For organizations comparing the top three directory services solutions – AD, OpenLDAP, or Directory-as-a-Service – there are a number of key factors to consider:

Platform Support

hi res logos

If your organization is a mixed-platform environment that includes Macs and Linux devices, it will make a critical difference on what path you choose. Microsoft Active Directory is built largely with Windows in mind. OpenLDAP has largely focused on Unix and Linux. Directory-as-a-Service was built for a heterogeneous environment. Consequently, Macs, Windows, and Linux devices are all treated equally with full user management control and GPO-like functions.

Protocol Support

icon-rest-api-4646ae3eb7bb51cd344dd2d025a2239f

With the variety of IT resources that organizations are leveraging now, IT admins have been forced to deal with a wide variety of authentication protocols. Tim Howes, our advisor, co-invented LDAP, which became a standard. Over the past two decades, a number of other protocols have emerged, including SAML, RADIUS, Kerberos, and OAuth. Even SSH and multi-factor authentication could be considered protocols, so to speak.

Active Directory has largely focused on Kerberos while OpenLDAP supports only LDAP. Directory-as-a-Service is a multi-protocol solution known for its ability to support a wide variety of protocols.

Cloud Support

unified-cloud

As organizations shift to the cloud, the location of the work force and IT resources matter. Traditional, legacy directory services, such as AD and OpenLDAP, have focused on the on-prem users and IT resources. Cloud infrastructure becomes difficult to integrate into the on-prem directories. Since Directory-as-a-Service is delivered from the cloud, it is location independent. IT resources and users can be located on-prem, in the cloud, or mobile throughout the world. This parameter becomes critical as organizations shift more to the cloud and users and IT resources become global in nature.

True Single Sign-On™

true single sign-on SSO

With the explosion of cloud resources and heterogeneous environments, one issue that organizations have faced is that there are more accounts and passwords than ever. All of those different user accounts create risk for IT. More passwords generally lead to weaker passwords because of the friction that users face. Centralizing all of a user’s accounts and providing a True Single Sign-On solution becomes more crucial as time goes on.

Better control over user accounts and security is possible. Unfortunately, over time AD and OpenLDAP have not been able to centralize user management, but rather have become one solution in an entire identity management suite of solutions. Directory-as-a-Service is aimed at becoming the lone True Single Sign-On solution for organizations.

Administrative Control

icon-user-management-83d64dab58eb075b359f6127d7e84ae5 (1)

While IT admins may be too busy, users aren’t interested in waiting around for help. They want to be able to manage their own accounts and solve their own problems. Strong administrative controls through password complexity management, multi-factor authentication, password resets, and user / admin portals are all helpful when it comes to reducing the burden on IT admins and end users. Directory-as-a-Service comes with built-in user controls that let IT admins off-load work to end users.

Recap

As the IT landscape quickly changes, a core capability that IT needs to solve for is identity and access control. The core solution for this area is directory services. The three choices that IT organizations have are Active Directory, OpenLDAP, and Directory-as-a-Service. At least five critical factors are part of choosing the best IAM solution for an organization. Those factors include platform support, protocol support, cloud support, True Single-Sign-On, and administrative control.

Is AD, OpenLDAP, Or Directory-as-a-Service The Best Fit?

If you would like to learn more about which of these three directory services – AD, OpenLDAP, or Directory-as-a-Service – is right for you, drop us a note. Since your first 10 users are free forever, try the unified cloud directory from JumpCloud®.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts