Authentication Protocols
Active Directory
- Primary Protocol: Kerberos (v5) with NTLM fallback
- Authentication Flow:
- Client requests TGT from Domain Controller
- DC verifies credentials against database
- Client receives TGT and service tickets
- Encryption: AES-256 (default), supports RC4 for legacy
- Token Lifetime: Default 10 hours (configurable)
- Smart Card Support: Native through PKINIT
OpenLDAP
- Primary Protocol: LDAP (v3) with SASL mechanisms
- **Authentication Methods:
- Simple Bind (plaintext)
- DIGEST-MD5
- GSSAPI (Kerberos integration possible)
- TLS client certificates
- Encryption: TLS 1.2+ required for security
- Performance: ~3,000 auth/sec on modern hardware
FreeIPA
- Protocol Stack:
- Kerberos (MIT implementation)
- LDAPv3 (389 Directory Server)
- SSSD for client integration
- Unique Features:
- Automatic Kerberos realm setup
- Integrated CA for PKI
- One-time password support
Database Architecture
| Component | Active Directory | OpenLDAP | FreeIPA |
| Storage Engine | Extensible Storage Engine | MDB/BDB/HDB | 389 Directory Server |
| Replication | Multi-master (NTDS) | Multi-provider sync | Multi-master |
| Schema | Microsoft-defined | Fully extensible | IPA-specific extensions |
| Entry Limit | ~2 billion objects | ~100 million (MDB) | ~50 million recommended |
Security Features Comparison
Access Control
- AD: Security Descriptors (DACL/SACL)
- OpenLDAP: ACLs via slapd.conf or dynamic
- FreeIPA: HBAC rules with time/group restrictions
Audit Capabilities
- AD: Native auditing (4720-4767 events)
- OpenLDAP: Requires external tools
- FreeIPA: Built-in audit log with retention
Certificate Management
- AD: Requires AD CS (additional role)
- OpenLDAP: External PKI integration
- FreeIPA: Integrated Dogtag CA with auto-enroll
Performance Benchmarks
Test Environment: 5,000 users, 100 concurrent auths
| Metric | AD (2019) | OpenLDAP 2.5 | FreeIPA 4.9 |
| Auth latency (ms) | 12 | 25 | 18 |
| Search ops/sec | 4,200 | 3,800 | 3,500 |
| Write throughput | 1,200/s | 900/s | 800/s |
| Replication lag | <1s | 5-30s | 2-5s |
High Availability Implementations
Active Directory
- Site-aware replication
- FSMO roles management
- Stretched clusters supported
OpenLDAP
- Syncrepl provider/consumer
- MirrorMode for multi-master
- No native load balancing
FreeIPA
- IPA topology segments
- Built-in CA redundancy
- DNS failover integration
Client Management Capabilities
Group Policy Equivalent:
| Feature | AD GPO | OpenLDAP | FreeIPA HBAC |
| Config Enforcement | Yes | Via Puppet/Ansible | Partial |
| Software Deploy | SCCM | External | External |
| Security Policies | 2,000+ | Custom | 50+ predefined |
| Client Side Ext | CSE | None | SSSD plugins |
Protocol Support Matrix
| Protocol | AD Support | OpenLDAP | FreeIPA |
| LDAPS | Yes | Yes | Yes |
| Kerberos | Yes | Plugin | Yes |
| RADIUS | Via NPS | External | Built-in |
| SAML | ADFS | External | Built-in |
| REST API | Limited | No | Yes |
Recommended Deployment Scenarios
Active Directory Best For:
- Windows-dominant environments (>80% Windows)
- Organizations requiring granular GPOs
- Microsoft ecosystem integration (Office 365, Azure)
OpenLDAP Ideal When:
- Heterogeneous environment (mix of OSes)
- Custom schema requirements
- Need lightweight directory without Kerberos
FreeIPA Optimal For:
- Linux/Unix environments
- DevOps pipelines requiring API access
- Organizations wanting AD-like features without licensing