Almost 3 years old, Active Directory is a product based on the priorities of a different time.
Microsoft Corp. developed AD mainly as a corporate directory, designed to manage users and groups within large (and Windows 2000-only) organizations.
Although Microsoft based AD partially on LDAP, it fell short of complete support for the directory standard—for example, requiring API development to perform external application integration that a pure LDAP server would handle by default. Other weaknesses in AD include limited schema support within directory structures.
In a new world of Web services and XML-based integration—where directories need to be accessible to and by a wide variety of systems, clients and applications—its not a good thing to be a semiproprietary, corporate- network-focused system.
It seems that even Microsoft agrees, as it has announced plans to release early next year a product called Active Directory in Application Mode—essentially an LDAP-only implementation of AD.
However, if your business needs a directory with a pure LDAP implementation before then, there are several powerful, popular and capable products that provide easily integrated LDAP directory capabilities.
One of the best, and best known, is Sun Microsystems Inc.s Sun ONE (Open Net Environment) Directory Server. This server is the descendant of Netscape Directory Server (which became iPlanet Directory Server), one of the first enterprise-class LDAP servers available commercially.
Sun ONE Directory Server provides complete support for LDAP, is traditionally up-to-date in its LDAP support and runs on most platforms. It has excellent management capabilities and is a solid platform for authenticating a wide variety of applications and services.
Sharing many of these same strengths is Novell Inc.s eDirectory. The Novell product benefits hugely from being a direct descendant of the companys NDS, leveraging Novells experience in directory structure and management to provide extremely powerful capabilities that integrate well in any business setting (even one without other Novell products).
Leveraging LDAP with an eye toward security and identity management is Computer Associates International Inc.s eTrust Directory. This directory is designed to work best in CAs eTrust security family as an engine for access control and authentication management, although its strong LDAP support makes it usable in any environment.
One drawback to all these products is their price. Realistically, any large corporate implementation of these directory servers will easily reach six figures.
Luckily, there is an open-source option—one that may lack some of the administrative niceties of commercial products but has all the extensive LDAP support and capabilities necessary for a corporate directory.
The OpenLDAP Foundation provides a complete suite of LDAP products that, like the original Netscape Directory Server, is based on the extensive LDAP work done at the University of Michigan. The OpenLDAP server requires a bit of manual configuration to get it up and running, but this is probably the best way to truly understand your directory structure, anyway.
The OpenLDAP software can be downloaded from www.openldap.org and is included in many Linux distributions.
East Coast Technical Director Jim Rapoza can be reached at [email protected]