April 18, 2013 Leave a comment
Lightweight Directory Access Protocol (LDAP)
A directory service is a network service that identifies resources on a network and makes them accessible to users and applications.
Ideally this directory service should make the physical network topology and protocols transparent to the user so they are able to access any resource without knowing where or how it is physically connected.
Functions of a Directory Service
To be considered an enterprise directory service, a system must provide mechanisms for the following;
Authentication – A user Id and an authentication factor to be allowed access.
Authorisation – Access to resources based on ‘access control’ or ‘roles’ etc.
Auditing – Tracking of events such as – log on/log off, success or failure of resource access etc.
Administration – Should not only define delegation but provide a complete set of administration tools to manage these objects.
AD is an LDAP-compliant service which allows administrators to perform tasks such as,
- Creating Objects/Data
- Deleting Objects/Data
- Searching Objects/Data
- Modifying Objects/Data
Active Directory Lightweight Directory Services
ADLDS is an application specific mode of AD – like Ad it is robust and scaleable but does not carry all the overheads of a full AD service.
ADLDS offers the following;
- Multiple instances can run on one machine. These can be completely seperate from ech other and can be installed in a configuration set.
- AD LDS does not use forests, domains, or global catalog servers thus removing the reliance on DNS Server records.
- Supports both DNS and X.500 naming contexts
- Smaller footprint than a full AD environment.
The benefits of AD LDS include;
- Designed to support storing application data without the overhead of full-fledged AD.
- Multi-master replication
- Can be installed on any version of Windows 2003 or higher and will also run, with some limitation, on Windows XP/Vista or higher (useful for testing purposes for a developer).
Possible downsides of AD LDS;
- Does not contain parts of AD required for supporting an enterprise environment; such as; Forests and domains, reliance on file replication services or domain name services.
- Does not support MAPI.
- Is not a Kerberos Key Distribution Center (KDC).