OpenLDAP™ without the Need for a Domain

Can you deploy OpenLDAP™ without the need for a domain? The short answer is yes. OpenLDAP, unlike Microsoft® Active Directory®, doesn’t work on the concept of a domain. Generally, OpenLDAP takes more of a “stateless” approach to authentication and is usually much more transactional.

Why OpenLDAP Needs No Domain

Domainless OpenLDAP makes sense because of how the software was created and what it is ideally used for. OpenLDAP is based on the Lightweight Directory Access Protocol (LDAP). LDAP is a client-server protocol that was created in the early 1990s by our advisor, Tim Howes, and his colleagues at the University of Michigan. Their work behind the LDAP protocol eventually spawned two directory services, Microsoft Active Directory (AD) and OpenLDAP.

Creating the Domain

While Active Directory was an LDAP-based directory, it also leveraged the Kerberos protocol for authentication. As a Microsoft creation, it was created primarily for Windows systems and applications. AD soon led the commercial on-prem directory services category, and would use the concept of the domain to its advantage.

The domain essentially created an early single sign-on (SSO) environment. A Windows user would log in to their workstation and, as long as it was directly connected to the domain controller, AD, they could sign in to whatever on-prem Windows-based resources they had rights to using a single set of credentials. For traditional, on-prem Windows-based networks, the concept of the domain was incredibly powerful.

The Technical Directory

OpenLDAP is an open-source implementation of LDAP, and as such, would go on to find its niche within data centers and more technical infrastructure, such as Linux® servers and applications. OpenLDAP authentication obviously didn’t utilize Kerberos, the protocol used by Microsoft’s Active Directory Domain Services (AD DS). The result was that IT admins could simply point their LDAP-based application to the OpenLDAP server, and authentication would start to flow for authorized users. This conceptual approach was quick and simple, although the implementation of OpenLDAP, as we all know, could be quite painful.

Many organizations leveraged both platforms—Active Directory and OpenLDAP—greatly increasing their overhead and management requirements. Over time, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at: https://jumpcloud.com/blog/openldap-no-domain/

Zach DeMeyer

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

zach-demeyer has 254 posts and counting.See all posts by zach-demeyer