Choosing the Right LDAP Directory Instance
This article applies to: CornellAD
There are three directories available.
- Enterprise Directory is the main directory for looking up user information.
- Active Directory (AD) is the central internal directory for authentication and integrations to Microsoft applications, including managing account data, provisioning, and de-provisioning.
- Active Directory Lightweight Directory Services (AD LDS) is available from off-campus networks for lookups of a subset of user and group information (but not authentication).
Anonymous access is disabled and all three directories require authentication.
Because these three instances are separate from each other, separate BindIDs are required for each.
- For AD, Organizational Unit (OU) admins can create BindIDs via Quest ARS.
- BindIDs for AD LDS or Enterprise directory require submitting a ticket to Identity Management.
Also, it's intentional that the root schema OU for AD LDS and Enterprise directories are the same (i.e. O=Cornell University, C=US). These two directories will be merged into one directory service in the future.
Enterprise Directory
Enterprise directory is the main directory for looking up user information. It's a traditional "electronic directory" or LDAP directory. The Enterprise directory:
- Is accessible from the internet (requires authentication).
- Does NOT store end-user passwords.
- Features granular attribute-level access controls.
- Has more information/attributes.
- Is used by many apps to lookup public and protected info (where appropriate).
- Is also used for authorization.
Enterprise directory uses ldaps://query.directory.cornell.edu as the service name.
Active Directory
Active Directory is the central directory for managing account data, provisioning, and de-provisioning. It also ties in to central authentication and authorization systems. Identity management uses Quest ARS to delegate management permissions for AD. The AD:
- Is NOT accessible from off-campus addresses.
- Is NOT generally accessible from the internet.
- Does store end-user passwords.
- Has presence in on-prem, AWS and Azure.
- Supports LDAP for lookups and authN as well as Kerberos (for authN/Z).
- Provides a "streamlined" version of the directory called "Global Catalog" that is accessible on a different port.
The DNS service names are:
- ldaps://query.ad.cornell.edu
- ldaps://awsquery.ad.cornell.edu (for AWS-based services)
- ldaps://azquery.ad.cornell.edu (for Azure-based services)
Active Directory Lightweight Directory Service (AD LDS)
This is Microsoft's implementation of a generic LDAP service. The AD LDS:
- Is available from the internet.
- Does NOT store end-user passwords.
- Is a stripped-down version of AD containing only a select subset of attributes. Reference Active Directory Lightweight Directory Service (AD LDS) for more information.
- Is synced from AD but only syncs users and groups. This allows you to lookup users and groups in AD from off-campus addresses (without needing to access the real AD).
AD LDS is accessed using lds.ad.cornell.edu name.
Comments?
To share feedback about this page or request support, log in with your NetID