We help IT Professionals succeed at work.

backward compatibility

Active Directory as LDAP server

When adding Identity Source in Vmware Vcenter, there is an option : The Active Directory as an LDAP Server


 m

Vmware website stated:
The Active Directory as an LDAP Server identity source is available for backward compatibility. Use the Active Directory (Integrated Windows Authentication) option for a setup that requires less input

I am not sure what they mean by  backward compatibility.

Any clarification on that ?

Thank you
Comment
Watch Question

Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
You can use either, Active Directory Integrated or LDAP.

(you may not be using Microsoft as a Directory Structure), and just may need an "open" LDAP authentication source.

(they may also mean Active Directory may not work with Windows 2003!)

see here for definitions

https://www.varonis.com/blog/the-difference-between-active-directory-and-ldap/

BUT there was a recent issue with LDAP and Microsoft Server last year...

see here

https://redmondmag.com/articles/2019/09/11/ldap-fix-for-windows-systems.aspx?m=1

Author

Commented:
but what do they mean by :

Active Directory as LDAP server  and Active Directory (Integrated Windows Authentication)

to my understand if you have Active Directory  then it is you LDAP server and it offers Integrated Windows  Authentication.

Why it is 2 separate options if the meaning is the same ?

Thanks
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
They do not mean the same.

Microsoft Active Directory also provides a LDAP server function.

it can also provide a Microsoft Active Directory function.

They are two different services, because some applications do not support Active Directory directly, but you still may want to use Active Directory as an authentication source, and therefore you can do this via LDAP.

Author

Commented:
There is Active Directory Lightweight Directory Services (AD LDS) and  the full blown Microsoft Active Directory
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
two methods of using Authentication.

LDAP and Microsoft Active Directory.

LDAP is the protocol used to Access AD information. (useful for applications which do not have full Windows Active Directory functionality, but still what to single sign on, authenticate to something).

(Active Directory Lightweight Directory Services - additional!)

LDAP can be used against other Authentication systems which are not related to Microsofts.

Author

Commented:
LDAP is the protocol , used talk to Active Directory or other open source for authentication

if you look again at the snapshot,
 option 1 : that 's Windows AD
 Option 2:  ???
Option 3: Open Source AUthentication using LDAP protocol
Option 4 : Local OS...which means there is no centralized authenication database


So Option 2 is not clear ....it sounds the same as Option 1 as  they both mention Active Directory, so they are both Windows...

The only Windows Active Directory Authentication that I am aware of  are the full blown Windows Active directory also called ADDS
where you install Domain Controller ..
There is ADAM now called AD LDS, it does not need to be installed on a Domain Controller
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
ADAM is very different and nothing to do with this.

1. Basically use the Microsoft API to communicate with Active Directory.

2. Use LDAP (with Microsoft support) (which is also a port exposed on Domain Controllers via 389 LDAP but it could be disabled because of security risks!)

I hope you makes it clearer, and recent annoucements in Sept 2019, Microsoft has changed the method by which LDAP works now, because of vulnerabilities, and has recommeded using signing now.

Author

Commented:
I guess what they meant on the screenshot I posted depends on where you are installing and configuring VCenter.

If you are installing Vcenter on Windows Server then the first option can be selected .Integrated windows authentication means Vcenter can take the credentials that the user has used to login to windows server where Vcenter is installed on and login automatically to Vcenter without re-intering them again


Option 2: If you are installing Vcenter on Linux you still can use Active DIrectory for Authentication but you have explicitely to enter user name and password since credentials you used to login with to Linux will not automatically apply to AD authentication.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
It gives you a choice of how you want to setup your Authentication.

Your vCenter Server maybe at the end of a WAN link, and you have firewalls in place, but opening a single port 389 TCP LDAP will provide the authentication you need.

Again it's based on your design and gives your options for deployment.

Author

Commented:
Thank you



I guess what they meant on the screenshot I posted depends on where you are installing and configuring VCenter.

If you are installing Vcenter on Windows Server then the first option can be selected .Integrated windows authentication means Vcenter can take the credentials that the user has used to login to windows server where Vcenter is installed on and login automatically to Vcenter without re-intering them again


Option 2: If you are installing Vcenter on Linux you still can use Active DIrectory for Authentication but you have explicitely to enter user name and password since credentials you used to login with to Linux will not automatically apply to AD authentication.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
if you are using this (LDAP) see the Microsoft announcements about LDAP changes!