By Rajat Bhargava Posted October 6, 2014
After its physical network, the directory service is arguably the most critical IT application in any organization. In fact, many IT admins believe that the identity and access management platforms in an organization are critical. This is because a directory service (1) securely connects employees to the IT resources they need access to, (2) ensures that only the right individuals have access to the right devices, applications, and networks, and (3) is the mechanism by which the organization can safely leverage new technology and innovations. So what is the existing directory services landscape?
In recent history, there have been three main directory solutions:
- Microsoft Active Directory – AD is the legacy, on-premise market share leader. Most organizations are centered around AD. AD works seamlessly with Windows devices and it is able to authenticate Mac and Linux devices with some additional effort. However, on the policy side, AD only manages Windows machines (no Mac or Linux). Microsoft has built thousands of templates to control virtually any setting on Windows devices. These templates can be easily applied at any time, and specific scripted commands with a timing dependency can be executed just prior to login or just after during the machine’s startup sequence. AD struggles with executing tasks on a schedule or just ad hoc as orchestration tools allow. Many organizations connect a variety of Windows-based applications to AD.
- LDAP – Lightweight Directory Access Protocol is an open standard leveraged by the popular open source directory solution, OpenLDAP. LDAP is also at the core of AD. LDAP seems to work best for technical organizations where there are strong technical resources to install and manage LDAP. Further, it works better with *NIX systems. Installing and managing OpenLDAP, and connecting clients (endpoints) to OpenLDAP are both complex difficult to do, even for experienced technical personnel. (See this guide to connect a Mac device to your LDAP server!). Additionally, LDAP’s very flexibility and power are perhaps its greatest weakness: it’s easy to build a directory structure that doesn’t work or is difficult to maintain. This is perhaps why LDAP is not more widely used than AD.
- GAD – Google Apps Directory is more of a contact manager than a directory service. Organizations – most likely smaller ones – will use GAD as a user repository. They are able to authenticate Web-apps against the GAD, but it doesn’t function as an identity provider in the same way that AD and LDAP do. For organizations that don’t really care about controlling user access to their devices or to more internal or IT related devices/applications, GAD can function as a simple user database. However, for organizations looking to control and manage their user devices, applications, IT infrastructure, and WiFi authentication, GAD is not able to be a part of that equation.
In all likelihood any company of any size is leveraging one or more of these solutions. Very small organizations – between 1 and 20 employees – likely have adopted Google Apps for company email and leverage it as a de facto directory. While they may not use any of the OAuth or SAML (single sign-on) capabilities to manage access to other applications, it does become a central user store. Over time, as organizations grow they begin to widen their use of the directory to manage access more tightly, control devices, and enforce security policies. These organizations may use AD or LDAP. And, as organizations scale, AD is very likely the directory solution in place.
Cloud Computing is Changing the Directory Services Landscape
Now, with the cloud era upon us, how will these directories hold up with multiple operating systems, cloud infrastructure, WiFi infrastructure, and SaaS-based services? If your organization is struggling with controlling and managing your employee’s access to the IT resources they need, drop us a line. Or, feel free to check out JumpCloud’s Directory-as-a-Service® platform, the first cloud-based directory service. You can also sign-up for an account to see the platform for yourself.