The Cloud Extender offers Corporate Directory Integration in 2 modes:
- Active Directory Mode: This mode is specific to Microsoft Active Directory environments. The Cloud Extender runs as a service account and runs PowerShell commands to authenticate any user in your directory. If you have multiple trusting forests or domains in your environment, some additional configuration is required. In this mode, the Cloud Extender can authenticate users in the entire scope of your directory.
- LDAP Mode: This mode can be used for any corporate directory. Cloud Extender offers standard LDAP templates to integrate with Domino LDAP, Oracle LDAP, Novell e-Directory and OpenLDAP. In addition to these standard LDAPs, this mode can be used to configure against any customized LDAP. Microsoft Active Directory can also be configured in LDAP mode and Cloud Extender offers a template for this as well.
So how do you choose the mode of implementation? Here are some guidelines:
- If you have a non-Microsoft Active directory (AD), use LDAP mode, this is straightforward.
- If you have a Microsoft Active directory (AD) environment, here is where you will need to make the right decision. The following table helps you choose what is best for your environment
|Scenarios||Active Directory Mode||LDAP Mode|
|Ability to limit authentication scope to a certain OU, sub-tree or group||
|Requirement that Cloud Extender needs to be a part of your domain||♦|
|Ability to support trusted forest / domain authentication||♦||♦|
|Ability to support untrusted forest / domain authentication||♦|
|Ability to customize attributes that can be read from AD during User Authentication process||♦|
|Support for User Custom Attributes+||♦|
|Ability to customize User and Group filters for optimized user authentication performance||♦|
|Support for High Availability||♦||♦|
|Ease of configuration||Easy||Medium|
|Implementation technology||PowerShell||LDAP Libraries|
|Configured along with User Visibility on the same Cloud Extender++||♦||♦|
|Time to authenticate||Limited to PowerShell throughput||Typically faster than AD|
+ User Custom Attributes is a feature in MaaS360 that lets you can define your own attribute and use this attribute in various configuration workflows. For e.g., you can define a User Custom Attribute called Employee Serial Number and use this value in MaaS360 policies for device configuration, or application configuration or a part of Identity Certificates. This attribute can be read directly from your directory using the LDAP configuration.
++Another very important consideration is whether your Cloud Extender will also configure the User Visibility service along with User Authentication service. If so, then the mode of configuration for both these services should be either Active Directory or LDAP. So for e.g., User Authentication as AD and User Visibility as LDAP on the same Cloud Extender is not possible. If such a combination is required, you will have to use separate Cloud Extenders.
In most situations LDAP mode of authentication is seen as most suitable for implementations even in Microsoft Active Directory environments considering the above advantages and easy adoptability to future requirements.