Ask HN: Is ActiveDirectory an Embrace, Extend, Extinguish of LDAP?

4 points by Fazel94 ↗ HN
I was studying the Embrace, Extend and Extinguish strategy(https://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish) implemented by various Tech companies. It just occurred to me that ActiveDirectory that is one of the most successful enterprise products of microsoft, could be interpreted as an EEE over LDAP.

Could you elaborate on that?

5 comments

[ 3.0 ms ] story [ 27.2 ms ] thread
LDAP and AD aren't equivalent technologies. LDAP provides "directory services" meaning (practically speaking) usernames, passwords and security policies. AD provides that and much more. For example, AD lets you share folders and manage users, something LDAP doesn't support. So you have to combine LDAP with other protocols.

Many many years ago I had the displeasure of being in charge of an AD to OpenLDAP+NFS migration for a mid-sized company. I was put in charge after an intern had spent months trying but failing to come up with a migration plan. I can tell you it wasn't fun. Especially the weird configuration files and stupid Perl scripts I had to use to communicate with OpenLDAP. I don't remember the details, but there was a lot of character encoding problems (åäö) and places where whitespace was significant in command line arguments.

It made me appreciate AD because in comparison configuring that is a breeze. I'm not much a MS fan but AD is imho a solid product.

AD let’s you provision file system/share permissions. It isn’t a file share in and of itself.

Just like in the AD world, other tools allow you to configure them either partly or fully via ldap.

I’m not sure what you mean that ldap doesn’t let you “manage users”. That’s literally the most common use case for it.

I don’t know why you felt forced to use Perl. The primary interface of any ldap compliant directory is just ldap, which has bindings in practically every language, and if you want to do bulk operations, you’d probably use LDIF.

Blaming ldap for you using Perl is like saying “I hate the web it requires you to write java”.

The LDAP protocol doesn't contain features required for properly managing users. For example, to set password expiration dates, control password strengths or to allow autonomous password recovery. Such features are instead provided in extension modules, if at all.

10-15 years ago when I dabbled with LDAP, the only bindings for OpenLDAP was written in Perl. Glad to hear that the situation is better now.

I thought Active Directory was Microsoft’s response to the competitive threat from other X.500-inspired, proprietary directory products, most notably Novell’s NDS, which met the needs of large organizations in ways that Windows NT domains couldn’t.

LDAP and Kerberos were in use before Active Directory, of course, but they weren’t ubiquitous the way HTML, HTTP, or IP had become by 1999, so I’m not sure the “embrace” stage of the strategy fits. Certainly, there were marketing advantages for Microsoft from using well-regarded open standards with at least nominal cross-platform compatibility, and some customers who would have expected any serious directory server to work with LDAP clients.