What are the differences between LDAP and Active Directory authentication?

9
votes

I have tried to search without success. (I do know difference between LDAP and Active Directory. Also read this What are the differences between LDAP and Active Directory?)

According to my understanding, LDAP authenticates (binds) with DN (distinguish name) and password. E.g. CN=bob, OU=Users,DC=test,DC=com

Active Directory authenticates with a short user name or full domain user name and password. E.g. bob or [email protected]

Therefore, LDAP does not allow to users with the same CN in the same tree (OU) but it allows the same CN in a different OU. Active Directory does not allow the same user name in the same domain, even the user object located in different tree of Active Directory. Active Directory allows the same user name in different domains.

Other differences?

3
authenticationactive-directoryldap

3 Answers

28
votes

I'm not sure you really know the difference between LDAP and Active Directory. Active Directory is built on top of LDAP, just like HTTP is built on top of TCP. You can't make any meaningful comparisons.

Saying LDAP authenticates is like saying the HTTPS charges your credit card when you're buying something online. The LDAP protocol provides the information to the directory server which does the authentication, just like HTTPS provides your information to the processing server that does the processing.

Active Directory allows you to have multiple objects in a domain with the same CN, as long as they don't have the same parent. What it restricts is multiple objects with the same sAMAccountName attribute in the same domain.

Maybe you are interested in the features that Active Directory has that other Directory Services don't? Or how Active Directory uses LDAP to perform higher level authentication requests like username bob?

6
votes

Active Directory is a product and a directory service. LDAP is an application layer protocol and an IETF standard. Active Directory supports and implements LDAP, therefore allowing RFC-compliant LDAP clients to talk to it and perform LDAP operations such as bind, search, etc.

0
votes

I had to deal with a situation that was like "AD vs LDAP", my clients have MS active directory servers but also others which were called ldap- or corporate directory-servers, which turned out to be NetIQ eDirectory servers (previously from Novell). My task was to implement authentication first with 'CD', than later AD.

Both groups of servers do speak the LDAP-protocol, but need to be talked to differently, e.g. as mentioned in the question username is either bob@domain (AD) or DN (CD). Also, when searching users, in AD you look for the field "sAMAccountName" and searchBase derived from your domain, e.g. "DC=test,DC=com" while the other one wants field "uid" and as searchBase the empty-string = "".

Here's a nice page summarizing how to find out which LDAP-implementation is on the other side: https://ldapwiki.com/wiki/Determine LDAP Server Vendor