活动目录与 OpenLDAP
LDAP 协议的这两种实现之间的主要区别是什么? 哪个更适合异构环境? 关于这个主题有什么好的网站吗?
What are the main diffrences between these two implementations of LDAP protocol? Which is better for heterogenous environment? Any good websites about this topic?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
以下是我立即知道的一些差异。 OpenLDAP 可以称为通用 LDAP 服务器,类似于许多其他供应商的 LDAP 服务器(Fedora DS 389、Oracle Internet Directory、IBM Tivoli Directory Server)。 Active Directory 针对 Microsoft 产品套件进行了更多定制(即:运行 Microsoft 域)。 各有利弊。
OpenLDAP 在安装后是空的并且没有结构(称为 DIT)。 它甚至没有开箱即用的根条目。 AD 将附带一个基本结构,并准备好 GUI 工具供您开始填充用户。 OpenLDAP 和其他人希望您手动创建 DIT,因此您必须设计一个结构。 因此,您必须计划将用户、组、角色放置在何处,并考虑 ACL 或分支委派(如果您的项目涉及此类内容)。 例如,您可能有一个 widgets.com 域。 在 AD 中,交付的结构将如下所示:
在 OpenLDAP(或其他普通实现)中,您可以通过多种方式设计 DIT。 您可以遵循域组件 (dc=foo,dc=bar) 约定,也可以使用按地理区域组织的内容 (o=foo,c=bar)。 这并不重要,但你应该选择其中之一。 AD 使用 DC 约定,并且不给您选择,但其他 LDAP 服务器可以遵循任一约定。 如果您想融入大型 MS 领域,我会坚持使用 DC 约定,以实现一致性和易于集成。 但对于此示例,我们将假装我们的公司组织 (o) 位于一个国家 (c),没有地区或单位 (ou):
然后您可以根据需要扩展您的架构。 如果您想扩展 AD 架构,AD 将要求您通过 Active Directory 架构编辑器 MMC 控制台插件(创建自定义 MMC)添加架构元素。 之后,就非常简单了。 首先定义属性,然后定义对象类。 OpenLDAP 要求您编写 LDIF(还需要首先是属性,然后是对象类)。 或者将 Apache Directory Studio 与 OpenLDAP 结合使用,这是一个很棒的 GUI 和管理工具,使 OpenLDAP 具有接近 AD 的易用性。
AD 不允许您匿名查询 389 上的所有内容。 如果您想获取架构信息(称为目录),您必须在 3289 上查询并进行身份验证。 这让我想起 LDAP 的 DIB 与 DIT 隐藏,但我不知道 AD 是否试图在这里做同样的事情。
AD 的默认查询限制为 1,000 (默认 MaxPageSize)。 如果您想一次性吸收所有内容,则必须在客户端或代码中使用分页控件,或者修改您正在搜索的域控制器上的默认查询限制。 请注意,分页控件可能会出现问题。 我已经使用 Netscape 库让它们在 java 中工作,但一些 LDAP 客户端似乎无法正常工作,即使它们声称支持分页控件 (YMMV)。
AD的认证有点奇怪。 您可以使用电子邮件格式的用户名 (-D username@domain) 进行身份验证,也可以使用完整的用户 DN。 如果 OpenLDAP 有办法做到这一点,我不知道该怎么做,但我不会打扰。 与其他 LDAP 服务器相比,这很奇怪。 普通 LDAP 通常遵循 DN 格式 (cn=username,cn=Users,o=widgets,c=us)。
我想简而言之,AD 是固执己见的,而 OpenLDAP 是通用的。 正因为如此,AD很容易站起来,而OpenLDAP可以更灵活。
Here are some differences I know off the top of my head. OpenLDAP could be called a generic LDAP server similar to many other vendor's LDAP servers (Fedora DS 389, Oracle Internet Directory, IBM Tivoli Directory Server). Active Directory is a bit more customized for a Microsoft product suite (ie: running a Microsoft domain). There are pros and cons of each.
OpenLDAP is empty after installation and has no structure (called a DIT). It doesn't even have a root entry out of the box. AD is going to ship with a basic structure and has the GUI tools ready for you to start populating users. OpenLDAP and others expect you to create the DIT by hand so you'll have to design a structure. So you'll have to plan out where you're going to put your users, groups, roles and think about ACLs or branch delegation if your project involves things like that. For example you might have a domain for widgets.com. In AD the shipped structure will look something like this:
In OpenLDAP (or other vanilla implementations), you can design your DIT in many ways. You can follow the domain component (dc=foo,dc=bar) convention or you can use something organized by geographic region (o=foo,c=bar). It doesn't matter a whole lot but you should go with one or the other. AD uses the DC convention and doesn't give you a choice but other LDAP servers can follow either convention. If you're trying to fit into a big MS domain, I'd stick with DC convention for consistency and ease of integration. But for this example we'll pretend our company organization (o) in one country (c) with no regions or units (ou):
Then you can extend your schema if need be. If you want to extend your AD schema, AD will require you to add schema elements via the Active Directory Schema Editor MMC console plugin (make a custom MMC). After that, it's pretty straightforward. Define your attributes first and then your objectclasses. OpenLDAP requires you to write an LDIF (also requires attributes first and then objectclasses). Or use Apache Directory Studio with OpenLDAP which is an awesome GUI and admin tool and makes OpenLDAP near-AD ease of use.
AD doesn't let you query everything on 389 anonymously. If you want to get schema information (called the catalog) you have to query on 3289 and authenticate. This reminds me of LDAP's DIB vs DIT hiding but I don't know if AD is trying to do the same thing here.
AD has a default query limit of 1,000 (default MaxPageSize). If you want to suck down everything in one shot you have to use paging controls on your client or in your code or modify the default query limit on the domain controller you are searching. Note that paging controls can be problematic. I'd gotten them to work in java using the Netscape libraries but some LDAP clients don't seem to work correctly even though they claim they support paging controls (YMMV).
AD's authentication is a little strange. You can authenticate as an email formatted username (-D username@domain) or you can use the full user DN. If there's a way to do this in OpenLDAP, I don't know how to do it but I wouldn't bother. This is odd compared to other LDAP servers. Plain LDAP usually follow the DN format (cn=username,cn=Users,o=widgets,c=us).
I guess in short, AD is opinionated and OpenLDAP is generic. And because of that, AD is easy to stand up but OpenLDAP can be more flexible.
对于异构环境,您需要使用通用服务器,例如 OpenLDAP。 AD 的优点通常是它已经包含内部用户的用户帐户 - 这些可以与单独的 LDAP 服务器保持同步,尽管这会增加复杂性。
就协议的细节而言,Oracle Virtual Directory 的文档有一个很好的总结。 (OVD 是一款可用于代理 AD 并将其一些怪癖转化为更标准接口的产品。):
http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG
这些是一些主要的,但还有其他的。
For hetrogenous environments you want to use a general-purpose server such as OpenLDAP. The advantage of AD usually is that it already contains user accounts for your internal users - these can be kept in synch with separate LDAP server though this adds complexity.
As far as specifics of the protocol go, the docs for Oracle Virtual Directory have a pretty good summary. (OVD is a product that can be used to proxy AD and translate some of its quirks into a more standard interface.):
http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG
These are some of the main ones but there are others.