The Problems With LDAP And AD User Management

By Rajat Bhargava Posted February 17, 2015

Active Directory and OpenLDAP

Previously, we discussed the key benefits of directory services for virtually any organization. Unfortunately, as most IT admins know, operating directory services is no easy feat.

The primary challenge of having no directory or manual management is clear: it isn’t possible to track and manage all of the connections between users and their IT resources.

Older directory services made that process significantly easier, but they also introduced another set of issues. Directories historically have been complex pieces of software. The two current main on-premise solutions are Microsoft Active Directory® and OpenLDAP™, which simply don’t work with modern business infrastructure.

Some of the Main Problems of AD and OpenLDAP that IT Admins are Running Into:

Setup and Configuration

Installing and configuring a directory is no trivial task. Directories need to connect to a number of different systems. In the case of Windows, it’s working in concert with your Domain Controller and often with Exchange. Ensuring that users are grouped properly and have the right access controls is also a time-consuming task. This is even more difficult to do with LDAP because it’s an open source system with complex configuration and setup. The configuration of the “clients,” or the desktops, laptops, servers, and applications to authenticate against these systems is also challenging. Connecting a Mac device to LDAP is a 30-step process!

Active Directory Server fail

Networking

Another critical challenge of a directory is ensuring that every device can authenticate with your directory service while the directory remains secure. This becomes a particularly difficult challenge when thinking about cloud infrastructure, remote offices, and remote employees. In an environment where cloud infrastructure is a staple, how do IT admins safely connect all of these pieces together? Today, admins are doing it the hard way by creating VPN tunnels, or point-to-point connections. There should be a secure method for every user in an organization to connect to the directory and subsequently be authenticated and authorized on devices and applications—regardless of where they are physically – without adding yet another piece of infrastructure.

Heterogeneous environments

Organizations aren’t homogeneous anymore. They have Macs and Linux devices in addition to their Windows machines. Ask an IT admin how they can authenticate, authorize, and manage devices across all three of those platforms and you’ll definitely see them shaking their head. Macs have largely gone un-managed despite their growing popularity. While they can authenticate against AD, admins have very little control over them. Linux devices are generally the same. LDAP does provide capabilities to authenticate and authorize a wide variety of device and application types, but when it comes to managing devices, it has no capabilities. A single solution that can be cross platform from one single interface would be hugely beneficial to IT organizations.

cross-platform device management

Security

Credentials are the single most sought after digital asset on the Internet. The right credentials are the keys to the kingdom. Today’s directories don’t protect credentials. They are a repository for them, but directories don’t detect when credentials have been compromised. They don’t detect when they have been used from a different location. Additionally, they don’t detect whether they have tried to access resources that they don’t normally access. These are critical steps for organizations to take to protect their digital assets. To do so, admins need to find additional pieces of software and build processes to monitor for potential compromises.

Ongoing management

Today’s directories were designed and built in a very different time. It was a time when IT reigned supreme and users were not trusted with the ability to manage their own data. As a result, they present a major headache for IT administrators when it comes to day-to-day updates to user data. Forgotten passwords, name changes, new mobile phone numbers, office location changes, and much more are all managed solely by the IT group. Much of this data is not business-critical, and employees can be trusted to manage some or all of it. Your employees manage tens to hundreds of their own accounts all over the Internet, and they can often be trusted to manage much of their account data in your business.

A directory service saves IT admins significant amounts of time, but there are still challenges with directories such as Microsoft AD and OpenLDAP.

Learn More About Solutions to LDAP and AD User Management

A new generation of cloud directory services solutions called Directory-as-a-Service® is emerging to address these critical challenges with directory services. To learn more about how the unified cloud directory solution from JumpCloud® can help save you tremendous time and increase your organization’s effectiveness, drop us a note.

AD and LDAP Solutions
Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts