Microsoft, Open Source Fans Try LDAP
- 15 May, 2000 12:01
BOSTON (05/15/2000) - In addition to testing the seven Windows NT-based Lightweight Directory Access Protocol servers, we also looked at the LDAP support Microsoft Corp. offers inside its new Active Directory and evaluated what the open source code option, OpenLDAP, had to offer.
We found that Active Directory, while it has issues with bulk-loading performance and offers an overlapping array of management tools, handles LDAP queries quite well and offers an excellent set of monitoring tools to help you keep an eye on the LDAP server. As for the Linux alternative, we were disappointed by OpenLDAP 's performance and thought its lack of administration tools makes it difficult to use. OpenLDAP is better positioned as a starter kit to help you get a leg-up on LDAP than as a production-quality server.
We could not include Active Directory and OpenLDAP in our head-to-head comparative review because neither runs on NT 4.0. Active Directory only runs on Windows 2000; OpenLDAP runs on Linux.
If you were wondering whether Active Directory has a place as a stand-alone LDAP directory, the answer is . . . sort of. Active Directory 's bulk-load time was horribly slow. At 33 records per second, you would be effectively restricted from bulk loading in any production environment. Additionally, Active Directory wouldn 't allow some types of attributes to be added to the directory in bulk and insisted on consistency-checking every entry, which required us to change our schema just to get our data loaded.
However, the query and modify performance numbers achieved by Active Directory were quite speedy. It can keep a respectable pace against the very fast pure servers in most LDAP operations. These performance levels suggest that if you want to share your Windows directory with the world via LDAP, then a native interface to Active Directory would be satisfactory, you don 't, for example, have to export your Active Directory data into another LDAP directory. However, the poor bulk-load performance is a strong indicator that Active Directory is a less obvious choice for a pure LDAP directory.
Microsoft 's Active Directory LDAP management implementation is somewhat scattered. Rather than taking a single approach to managing the LDAP directory, Microsoft built in several. Win 2000 ships with a pile of tools, many of which do the same thing but in slightly different ways or from different points of view. One useful tool is the LDP application that talks to LDAP directories using the LDAP protocol, making it a multivendor tool to explore and query.
Microsoft held to both sides of the highway on monitoring. Its directory performance numbers are available directly in the Win 2000 perfmon tool - an outstanding way to get a graphical look at directory load and transactions.
Microsoft also exposes those statistics through the new Web-based Enterprise Management (WBEM) interface, which in itself is fairly useless. However, there are WBEM-to-SNMP adapters available for Win 2000 from Microsoft that effectively make Active Directory 's statistics available to anyone with an SNMP monitoring tool.
OpenLDAP, another pure LDAP server, had no graphical user interface, and required us to edit configuration files or issue shell commands for any changes. OpenLDAP also turned in very poor performance statistics across most of the operations we tested. In most cases, OpenLDAP ranked behind the other servers we looked at. The one exception was in multiuser wildcard queries, in which OpenLDAP kept pace with the leaders. The simplicity of OpenLDAP and the ease with which we installed it were definite pluses, making OpenLDAP a good prototyping tool for an LDAP directory. This is especially true if your final server is iPlanet's Directory Server or Innosoft International Inc.'s IDDS because the configuration and operation of the three products is very similar.