When you have multiple operating systems and devices connected together, you need a centralized directory service to control authentication and authorization. Both Active Directory and LDAP play a role in allowing users to seamlessly access printers, servers, storage, applications, and other environments, resources, and devices. Active Directory (AD) is Microsoft’s database of policies, users, and devices authorized to access the network. Lightweight Directory Access Protocol (LDAP) is a network protocol used to talk to and query directory services such as Active Directory..
What Is a Directory Service?
Because administrators must control access to a network, directory services host a database of users, devices, and policies for every authorized resource. Directory services provide a central location for administrators to configure who and what can access their environments. When users leave a company, administrators can disable their accounts but keep account information in case of future audits.
Users aren’t the only entity requesting access to network resources. Directory services also contain policies for printers, servers, applications, and other network resources that must connect to the environment. In addition to access control, administrators can integrate two-factor authentication (2FA) and single sign-on (SSO) with directory services for better security.
When a user boots their workstation, their operating system loads. A window displays asking for their username and password. After users enter their credentials, the operating system makes a request to directory services. Directory services confirm credentials and device information to ensure both have permission to access the network. After confirmation of credentials, directory services apply the appropriate authorization permissions and security policies to the user and their device.
What Is LDAP?
Active Directory is specific to Windows environments, but not every network uses the Windows operating system for servers or workstations. LDAP is vendor neutral, which means that it can work within any environment including Linux and Windows. Because LDAP is a protocol, it does not care about the higher-level applications used to define authorization policies. It creates a session between an authenticated user to provide them with a list of available network services. As a protocol it can be used by various directory services including Active Directory.
How Does LDAP Work?
At its core, LDAP is a protocol that dictates how a client can access and interact with a directory service. Directory services, on a fundamental level, are databases optimized to manage descriptive, attribute-based information about users, groups, and other network resources. LDAP provides a method to search for and retrieve information from these databases efficiently.
LDAP organizes data in a hierarchical manner, much like a tree. The hierarchy starts from the root directory (the base of the tree), branching out to various levels of organizational units (nodes), and ends with individual entries (leaves). Each entry in the directory is identified by a unique Distinguished Name (DN), and contains a set of attributes defined by a schema.
The directory service contains a list of users, servers, printers, licenses, workstations, and other network resources. Think of the directory service as a phone book for every resource that users can browse for the resource they need. When users request a resource, they request the resource from the directory service where LDAP confirms authorization. If the environment uses AD, LDAP can confirm authorization policies from the domain server.
Connections for network resources happen using a secure session. The session starts with a request from the user to the LDAP server using the LDAP port, which defaults to 389 although administrators can configure alternative port numbers. After a session is established, the user requests the resource from the database. LDAP performs a lookup of the resource, retrieves information about the resource (e.g., IP address or application name), and provides access if the user is authorized.
What Is Active Directory?
The foundation of a Windows environment is domains and domain controllers. An optional installation for Windows servers is Active Directory services. Domain servers are central to controlling network activity, but Active Directory is the database of resources used to verify requests to domain resources. When administrators configure Active Directory with LDAP, the LDAP servers communicate with AD to validate user authentication and authorization. In an environment that uses LDAP with Active Directory, Active Directory contains a list of resources and authorization policies.
Active Directory uses the Kerberos protocol by default for authentication, but administrators can use LDAP instead. Active Directory contains a list of authorized users and devices, so it integrates with a Windows domain to only allow administrators to make changes to AD configurations. Administrators must install Active Directory after installing the Windows Server operating system, so it’s an optional installation with Windows. If you use a Windows workgroup, then you would not use AD when no domain is configured. AD is considered an enterprise feature, but you could use it in a small environment when you need better security than a workgroup can offer.
How Does Active Directory Work?
Active Directory can be considered a phone book of resources available to users, user accounts allowed on the network, authorized devices on the network, permissions for users and applications, and access policies for all network resources across the environment. The top level for AD is the domain, which is the Windows terminology for the entire network environment.
Every workstation on the network must join the domain. Administrators authorize workstations in AD, so the device could fail when joining a domain without first being configured. Once joined to the domain, users can authenticate into the network or choose to only authenticate locally on their machine. Workstations can be configured to be a part of a workgroup, but this option is only for home or small offices. Enterprise environments use Windows domains with AD to better control access to corporate resources.
Windows groups AD objects (e.g., a user or a device) into trees. A tree is a group of domains that share resources. One domain can trust another, but the trusted domain might not trust another domain in the tree. The tree is listed as a hierarchy of objects so that administrators can view resources and identify trusts between multiple domains. Trees are grouped in forests where administrators can review all domains and their shared resources.
Active Directory lists resources in organizational units (OUs). Every domain in the environment has its own OU, and OUs contain the network objects (e.g., users, servers, etc.) configured on the network. Active Directory looks much more complex compared to LDAP, but it represents a directory of network resources configured on a Windows environment.
When users make a request to authenticate into a domain, the default protocol is Kerberos. The Kerberos protocol is used to make the request to Active Directory where authentication either passes or fails. All communication between user requests and the AD server is encrypted and secure. Kerberos issues a ticket for each request to indicate if a user has access to a resource.
LDAP vs. Active Directory
The main difference between LDAP and AD is that AD is a directory service and LDAP is a protocol for accessing and authenticating directory services. AD is proprietary to Windows, while LDAP is vendor neutral. When choosing a solution, you can install AD and work with LDAP to make connection of non-Windows resources easier. The advantage of using both in your environment is that they work well together when you need to find and configure a solution quickly. For example, if you need to connect Linux workstations, LDAP can work with Linux machines to authenticate onto a Windows environment.
Most administrators working with Windows domains prefer to use AD for authorization control and LDAP to interface between users and resources. They create custom scripts and internal applications that work directly with LDAP and AD to make customer service and tech support easier for their administrators and users. For example, administrators could create a custom application to help unlock a user account if they accidentally forget their password.
LDAP was originally created for Linux, so Windows administrators might find challenges when configuring it. Most Windows administrators find integrating AD identity management with cloud infrastructure convenient, but LDAP might be more challenging when your organization has critical applications running in the cloud where only authenticated internal users can access cloud infrastructure.
Conclusion
If you need better identity management and directory services, you might consider Active Directory or LDAP, or even use them together. Enterprise networks need an identity manager and centralized control service to set policies, authorize devices, and audit network resources. AD and LDAP have these services, and they have a long history of secure, convenient setup.
To make virtual environments more convenient for administrators and users, you can work with Pure Storage and our partner Citrix. Our VDI infrastructure can host directory services while still maintaining a secure environment for your users, including remote users.
Written By:
Non-disruptive DR!
Check out our four-part series where we will dive into Pure’s approach to non-disruptive disaster recovery!