AD DS or AD LDS

active-directoryad-lds

I need a suggestion about having AD DS or AD LDS for my infrastructure.

I have a website which as of now do not have any log in facility for the visitors, now we are developing a new application so that the visitors can create account on the website. the best example you can think of is of any telecom service provider, they have their webiste and now is creating a login facility for it's customers so the users can create an account and can subscribe for ebill sort of facilities.

Hope the situation is clear now. For this particular application, I intend to have a web server, an application server, a DB server, one SMTP server and one AD server(for authentication of users and for saving the profiles also).

My question here starts on AD front, here do i need AD DS or AD LDS here, what i need from AD is

  1. provide user authentication
  2. provide role based access.

This is my query.

Best Answer

As Rajeev has pointed out in comments, Active Directory IS an LDAP server and more, and the AD LDS service is a "free" Windows Server role that is provided to do specifically what he is looking for. AD provides many extras (replication, Kerberos, federation, etc.) that you would have to build on your own with a Free/OSS solution like OpenLDAP+postgres+kerberos. There are other (primarily commercial) directory services which have similar abilities.

Licensing should probably not be an issue. You are probably going to have AD installed if your deployment is going to be primarily Windows-based (for the computer accounts, admin accounts, etc.), and this will be relatively small (looks like a 5-user CAL at most). Any "user" objects that you create in LDS for your public users will not be counted against the licenses for your AD DS accounts. You can contact Microsoft Licensing to verify this.

Using AD LDS definitely has some great benefits, your proposed installation may be too small to realize some of them though.

  1. Replication is probably the #1 "freebie" you get with LDS. Your AD DS Sites and Subnets topology can be used to manage replication automatically, just like for AD DS. But with only one LDS server, you won't need replication.
  2. Most of the newer tools for backup, maintenance, reporting, etc. will all work as well with LDS as they do with DS. So, if you already have some off-the-shelf tools in-house, you can probably just use them for your LDS. Again, your setup sounds too small for this to be a big benefit.
  3. If you are ALREADY familiar with the care and maintenance of AD DS, using LDS will be generally familiar and will build on a knowledge-set you already have. This can mean significant improvements in supportability and manageability, any scripting knowledge you have will be generally transferrable, etc. This is a bonus.
  4. And again, LDS is "free" with Windows, if you've installed a 2003/2008 server then LDS is included. This is also a bonus.
  5. With Windows Server 2008 R2 you get all the cool features from the AD DS code-base (snapshots, etc.)

All that said... If you don't have any particular experience with AD, and don't have any particular infrastructure already in place to handle it, you may not see much benefit by going this route. Based on the size of your described deployment, you could almost certainly go with an OSS setup like LAMP + OpenLDAP, depending on your comfort-zone and what you are application requirements are.

Keep in mind that if you are doing any kind of user management, then you are going to very, VERY sorry if your approach is just "stick a bunch of user names and passwords in a SQL table." User management is a complex process that has already been solved countless times before. Handling passwords is something you just should not be doing unless you already have lots of experience in security related programming. Please don't roll your own!

Find a suitable commercial or OSS framework that has been designed already to handle AAA* correctly, something like OpenID is probably not a terrible idea. Jeff Atwood's blog (he runs a website, you may have heard of it...) has a number of posts discussing these issues around his work on StackOverflow and ServerFault.

Any way, I hope this discussion helps.

Related Topic