
Ask HN: Is ActiveDirectory an Embrace, Extend, Extinguish of LDAP? - Fazel94
I was studying the Embrace, Extend and Extinguish strategy(https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Embrace,_extend_and_extinguish) implemented by various Tech companies. It just occurred to me that ActiveDirectory that is one of the most successful enterprise  products of microsoft, could be interpreted as an EEE over LDAP.<p>Could you elaborate on that?
======
bjourne
LDAP and AD aren't equivalent technologies. LDAP provides "directory services"
meaning (practically speaking) usernames, passwords and security policies. AD
provides that and much more. For example, AD lets you share folders and manage
users, something LDAP doesn't support. So you have to combine LDAP with other
protocols.

Many many years ago I had the displeasure of being in charge of an AD to
OpenLDAP+NFS migration for a mid-sized company. I was put in charge after an
intern had spent months trying but failing to come up with a migration plan. I
can tell you it wasn't fun. Especially the weird configuration files and
stupid Perl scripts I had to use to communicate with OpenLDAP. I don't
remember the details, but there was a lot of character encoding problems (åäö)
and places where whitespace was significant in command line arguments.

It made me appreciate AD because in comparison configuring that is a breeze.
I'm not much a MS fan but AD is imho a solid product.

~~~
stephenr
AD let’s you provision file system/share permissions. It isn’t a file share in
and of itself.

Just like in the AD world, other tools allow you to configure them either
partly or fully via ldap.

I’m not sure what you mean that ldap doesn’t let you “manage users”. That’s
literally the most common use case for it.

I don’t know why you felt forced to use Perl. The primary interface of any
ldap compliant directory is just ldap, which has bindings in practically every
language, and if you want to do bulk operations, you’d probably use LDIF.

Blaming ldap for you using Perl is like saying “I hate the web it requires you
to write java”.

~~~
bjourne
The LDAP protocol doesn't contain features required for properly managing
users. For example, to set password expiration dates, control password
strengths or to allow autonomous password recovery. Such features are instead
provided in extension modules, if at all.

10-15 years ago when I dabbled with LDAP, the only bindings for OpenLDAP was
written in Perl. Glad to hear that the situation is better now.

------
wsh
I thought Active Directory was Microsoft’s response to the competitive threat
from other X.500-inspired, proprietary directory products, most notably
Novell’s NDS, which met the needs of large organizations in ways that Windows
NT domains couldn’t.

LDAP and Kerberos were in use before Active Directory, of course, but they
weren’t ubiquitous the way HTML, HTTP, or IP had become by 1999, so I’m not
sure the “embrace” stage of the strategy fits. Certainly, there were marketing
advantages for Microsoft from using well-regarded open standards with at least
nominal cross-platform compatibility, and some customers who would have
expected any serious directory server to work with LDAP clients.

