• No replies
34 Posts

Pinned topic Cloud Extender: LDAP Vs. Active Directory for authentication, what to choose?

‏2016-02-25T14:20:49Z | active ad cloud directory extender ldap maas360

The Cloud Extender offers Corporate Directory Integration in 2 modes:

  1. Active Directory Mode: This mode is specific to Microsoft Active Directory environments. The Cloud Extender runs as a service account and runs PowerShell commands to authenticate any user in your directory. If you have multiple trusting forests or domains in your environment, some additional configuration is required. In this mode, the Cloud Extender can authenticate users in the entire scope of your directory.
  2. LDAP Mode: This mode can be used for any corporate directory. Cloud Extender offers standard LDAP templates to integrate with Domino LDAP, Oracle LDAP, Novell e-Directory and OpenLDAP. In addition to these standard LDAPs, this mode can be used to configure against any customized LDAP. Microsoft Active Directory can also be configured in LDAP mode and Cloud Extender offers a template for this as well.

So how do you choose the mode of implementation? Here are some guidelines:

  1. If you have a non-Microsoft Active directory (AD), use LDAP mode, this is straightforward. 
  2. If you have a Microsoft Active directory (AD) environment, here is where you will need to make the right decision. The following table helps you choose what is best for your environment
Scenarios Active Directory Mode LDAP Mode
Ability to limit authentication scope to a certain OU, sub-tree or group


Requirement that Cloud Extender needs to be a part of your domain  
Ability to support trusted forest / domain authentication
Ability to support untrusted forest / domain authentication  
Ability to customize attributes that can be read from AD during User Authentication process  
Support for User Custom Attributes+  
Ability to customize User and Group filters for optimized user authentication performance  
Support for High Availability
Ease of configuration Easy Medium
Implementation technology PowerShell LDAP Libraries
Configured along with User Visibility on the same Cloud Extender++
Time to authenticate Limited to PowerShell throughput Typically faster than AD


+ User Custom Attributes is a feature in MaaS360 that lets you can define your own attribute and use this attribute in various configuration workflows. For e.g., you can define a User Custom Attribute called Employee Serial Number and use this value in MaaS360 policies for device configuration, or application configuration or a part of Identity Certificates. This attribute can be read directly from your directory using the LDAP configuration.

++Another very important consideration is whether your Cloud Extender will also configure the User Visibility service along with User Authentication service. If so, then the mode of configuration for both these services should be either Active Directory or LDAP. So for e.g., User Authentication as AD and User Visibility as LDAP on the same Cloud Extender is not possible. If such a combination is required, you will have to use separate Cloud Extenders.

In most situations LDAP mode of authentication is seen as most suitable for implementations even in Microsoft Active Directory environments considering the above advantages and easy adoptability to future requirements.



Updated on 2016-02-25T14:25:48Z at 2016-02-25T14:25:48Z by KumarAnanthanarayana