By Zach DeMeyer Posted April 13, 2019
Can you deploy OpenLDAP™ without the need for a domain? The short answer is yes. OpenLDAP, unlike Microsoft® Active Directory®, doesn’t work on the concept of a domain. Generally, OpenLDAP takes more of a “stateless” approach to authentication and is usually much more transactional.
Why OpenLDAP Needs No Domain
Domainless OpenLDAP makes sense because of how the software was created and what it is ideally used for. OpenLDAP is based on the Lightweight Directory Access Protocol (LDAP). LDAP is a client-server protocol that was created in the early 1990s by our advisor, Tim Howes, and his colleagues at the University of Michigan. Their work behind the LDAP protocol eventually spawned two directory services, Microsoft Active Directory (AD) and OpenLDAP.
Creating the Domain
While Active Directory was an LDAP-based directory, it also leveraged the Kerberos protocol for authentication. As a Microsoft creation, it was created primarily for Windows systems and applications. AD soon led the commercial on-prem directory services category, and would use the concept of the domain to its advantage.
The domain essentially created an early single sign-on (SSO) environment. A Windows user would log in to their workstation and, as long as it was directly connected to the domain controller, AD, they could sign in to whatever on-prem Windows-based resources they had rights to using a single set of credentials. For traditional, on-prem Windows-based networks, the concept of the domain was incredibly powerful.
The Technical Directory
OpenLDAP is an open-source implementation of LDAP, and as such, would go on to find its niche within data centers and more technical infrastructure, such as Linux® servers and applications. OpenLDAP authentication obviously didn’t utilize Kerberos, the protocol used by Microsoft’s Active Directory Domain Services (AD DS). The result was that IT admins could simply point their LDAP-based application to the OpenLDAP server, and authentication would start to flow for authorized users. This conceptual approach was quick and simple, although the implementation of OpenLDAP, as we all know, could be quite painful.
Many organizations leveraged both platforms—Active Directory and OpenLDAP—greatly increasing their overhead and management requirements. Over time, as more IT infrastructure shifted to the cloud, IT organizations would add additional identity and access management platforms such as web application single sign-on, directory extensions, privileged identity management, 2FA, and much more. This complexity started to weigh on IT admins, and they started to look for a new approach to the entire identity and access management infrastructure.
“OpenLDAP” Without a Domain
With organizations leveraging cloud infrastructure, web applications, and remote workers, the concept of a domain was starting to erode in value. The result was that a next generation approach to cloud directory services was created to address the need to provide users with the access that they required. It’s similar to AD, but without the need for a domain (i.e. requiring a direct connection to a domain controller).
This next generation cloud directory is called JumpCloud® Directory-as-a-Service®. Directory-as-a-Service is vendor-neutral, and leverages the LDAP, SAML, and RADIUS protocols to authenticate to virtually all IT resources allowing admins to create a sort of cloud domain. Using JumpCloud’s LDAP-as-a-Service, admins can authenticate to all of the LDAP resources they would normally use OpenLDAP to connect to. Combine that with cross-platform system management capabilities, network authentication through RADIUS, and SAML authentication for web apps and you’ve got yourself a True Single Sign-On™ experience in a centralized platform. In essence, Directory-as-a-Service has reimagined OpenLDAP and AD for the modern era.
You can learn more about Directory-as-a-Service by contacting us, or by signing up for JumpCloud. A JumpCloud account is completely free, and always includes ten free users for your organization. If you would like more info on Directory-as-a-Service, feel free to check out another blog post, or watch one of our videos.