Can you deploy OpenLDAP™ without the need for a domain? The short answer is yes. OpenLDAP, unlike Microsoft® Active Directory®, doesn’t work on the concept of a domain. Generally, OpenLDAP takes more of a “stateless” approach to authentication and is usually much more transactional.
Why OpenLDAP Needs No Domain
Domainless OpenLDAP makes sense because of how the software was created and what it is ideally used for. OpenLDAP is based on the Lightweight Directory Access Protocol (LDAP). LDAP is a client-server protocol that was created in the early 1990s by our advisor, Tim Howes, and his colleagues at the University of Michigan. Their work behind the LDAP protocol eventually spawned two directory services, Microsoft Active Directory (AD) and OpenLDAP.
Creating the Domain
While Active Directory was an LDAP-based directory, it also leveraged the Kerberos protocol for authentication. As a Microsoft creation, it was created primarily for Windows systems and applications. AD soon led the commercial on-prem directory services category, and would use the concept of the domain to its advantage.
The domain essentially created an early single sign-on (SSO) environment. A Windows user would log in to their workstation and, as long as it was directly connected to the domain controller, AD, they could sign in to whatever on-prem Windows-based resources they had rights to using a single set of credentials. For traditional, on-prem Windows-based networks, the concept of the domain was incredibly powerful.
The Technical Directory
OpenLDAP is an open-source implementation of LDAP, and as such, would go on to find its niche within data centers and more technical infrastructure, such as Linux® servers and applications. OpenLDAP authentication obviously didn’t utilize Kerberos, the protocol used by Microsoft’s Active Directory Domain Services (AD DS). The result was that IT admins could simply point their LDAP-based application to the OpenLDAP server, and authentication would start to flow for authorized users. This conceptual approach was quick and simple, although the implementation of OpenLDAP, as we all know, could be quite painful.
Many organizations leveraged both platforms—Active Directory and OpenLDAP—greatly increasing their overhead and management requirements. Over time, (Read more...)