Home > Tintri VMstore™ > Knowledge Base > Active Directory Authentication vs LDAP Authentication

Active Directory Authentication vs LDAP Authentication

Table of contents

Applies To

 

Product(s): T445, T540, T6xx, T8xx

Product Version(s): Tintri OS v3.0 (and later).

Details

 

It's possible to authenticate Active Directory users in two ways -- using the native Active Directory suite of protocols (ADS) or using only the LDAP protocol. This brief article describes some of the semantic differences between the two.

 

If you're using an LDAP Directory Services Agent (DSA) other than Active Directory, such as OpenLDAP or FreeIPA, the only option is to use the LDAP protocol. This article covers the differences between using the Active Directory suite of protocols to authenticate Active Directory users vs using the LDAP protocol to authenticate Active Directory users.

 

When authenticating using ADS, the process involves a domain join, as with many other Active Directory clients such as Microsoft Windows. The DNS domain name of the domain and the username and password of an administrative user with the privileges necessary to perform a domain join.

 

The domain join process involves the creation of a computer account, which the Tintri appliance will use for all subsequent operations or queries against the domain. The administrative credentials are not stored in the appliance.

 

Apart from the machine account creation and periodic password changes, no changes are made to Active Directory.

 

When authenticating using LDAP, the credentials for a service account need to be provided. These credentials are stored and used for all subsequent searches and lookups. Active Directory (or any LDAP server) is never modified.

 

The set of attributes required by the Tintri LDAP driver to be read or searched is quite minimal and is covered in separate schema-specific articles. This account also needs to be able to query accounts in other domains where interdomain trusts are in use.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.