Khác nhau giữa LDAP vs Active Directory (AD)

Difference Between LDAP and Active Directory

LDAP vs Active Directory

LDAP (Lightweight Directory Access Protocol) là một giao thức (protocol) cho phép hỗ trợ truy cập directory services để lấy dữ liệutrong khi Active Directory là một dịch vụ thư mục của Microsoft. LDAP và Active Directory không loại trừ lẫn nhau vì chúng đều có những chức năng khác nhau mà ta có thể sử dụng. Nhiều dịch vụ tồn tại bên cạnh Active Directory, trong đó có sản phẩm miễn phí như OpenLDAP. Microsoft cũng phát triển Active Directory và đã vượt trội so với LDAP và sử dụng các giao thức khác như Kerberus.

Active Directory là một sản phẩm từ Microsoft mà đã được phát triển dựa phần lớn vào LDAP để đảm bảo rằng nó phù hợp và hoạt động tích hợp hoàn hảo với LDAP. Ban đầu Active Directory dùng để cung cấp dữ liệu thông qua LDAP nhưng đã phát triển mạnh mẽ để bao gồm cả các dịch vụ khác LDAP/kerberus.

Bởi vì LDAP không gắn với một công ty duy nhất, nên nó có thể chạy trên bất cứ hệ điều hành nào có dịch vụ thư mục (directory). Ngược lại, Microsoft là chủ Active directory, nên AD chỉ được sử dụng trên hệ thống máy tính Windows.

Kết luận, AD chỉ là một sản phẩm cung cấp dịch vụ sử dụng LDAP. Mặt khác, LDAP là một giao thức và do đó nó rộng hơn so với Active Directory (Một sản phẩm trên LDAP). Bất kể đang sử dụng sản phẩm AD hay OpenLDAP hoặc bất kì một dịch vụ directory của một công ty nào khác, thì bạn vẫn đang sử dụng LDAP.

Summary:
1.LDAP là một giao thức retrieving information from a directory service like Active Directory
2.LDAP ra đời rất lâu trước Active Directory  và một phần lớn Active directory được lấy từ LDAP.
3.Active Directory là sản phẩm của Microsoft trong khi LDAP là sản phẩm mã nguồn mở.
4.Active Directory ít khi được tì thấy ứng dụng bên ngoài sản phâm của hệ điều hành Windows.
5.Active Directory provides additional services aside from LDAP like functionality

Nguồn: http://www.ubrid.net/lesson/ad-so-sanh-active-directory-va-ldap/

(Thấy hay nên lượm lặt)

Đọc tiếp

openldap sizelimit. Can't receive more than 500 entries

I can't receive more than 500 entries, when I query my openldap-server.

Although I made the following changes:

slapd.conf

    # This is the main slapd configuration file. See slapd.conf(5) for more
    # info on the configuration options.

    #######################################################################
    # Global Directives:       
    .....

     # The maximum number of entries that is returned for a search operation
    sizelimit 10000

ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT       10000
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

After restartin my machine, and query the following command:

ldapsearch -x -h localhost -b "dc=XXX,dc=XXX,dc=XXX"

I receive:

# search result
search: 2
result: 4 Size limit exceeded

# numResponses: 501
# numEntries: 500

Đọc tiếp

Create Inbound and Outbound one-to-one Static NAT rules in FortiGate

I'm new to the FortiGate routers (I've always been a Cisco guy), and had a hard time figuring out how to properly configure inbound and outbound static one-to-one NAT rules in the router.  After doing a fair amount of searching in the FortiGate documentation and Googling, I found the information available online about this topic was either incomplete or out of date.  So I thought I’d pass this along in case it is helpful to anyone who finds this tread in the future.  I successfully did the below steps today on a FortiGate 60D running Firmware 5.2.7 build 718, but I’m pretty sure it will work the same on other similar models too.


 
How to create an INBOUND static NAT rule:

1. Navigate to:  Policy & Objects > Objects > Virtual IPs
   1. Click the “Create New” button
   2. Name = Anything you want, something descriptive.  Remember this, you need it in Step #3.
   3. Comments = Optional. Anything you want.
   4. Interface = Select the correct external WAN interface that the public IP is connected to
   5. Source Address Filter = Defaults to unchecked, which is fine.
   6. External IP Address/Range = Just enter one *public* IP address.  Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)
   7. Mapped IP Address/Range = Just enter one *private* IP address.  Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)
   8. Port Forwarding = Optional.
      1. If you want to just have a 1-to-1 inbound static NAT map, leave this unchecked.  Restrict and control access through IPv4 firewall policies.
      2. If you want to control or redirect specific ports, check this and then add custom rules as necessary.

 
Just because you create an Inbound NAT rule, it doesn’t mean that all outgoing traffic from that internal IP will be NAT’ed to that external Public IP.  By default, the FortiGate will do outbound NAT to the external IP address only for *replies* sent by the internal server in response to requests that originated from *outside* the firewall.  If you want to ensure that *all* traffic originating from the internal server is always NAT’ed to a specific external public IP address, then you must create a custom Outbound Static NAT IPv4 policy.  If no custom outbound policy is created, then the outbound traffic that originates from the internal server will be NAT’ed to the router’s default overload one-to-many NAT public IP address.
 
How to create an Outbound Static NAT rule:

1. Create a new address for the INTERNAL (private) device IP Address
   1. Navigate to:  Policy & Objects > Objects > Addresses
   2. Click the “Create New” button
   3. Name = Anything you want, something descriptive.  Remember this, you need it in Step #3.
   4. Type = IP/Netmask
   5. Subnet / IP Range = Just enter the single IP address
   6. Interface = Defaults to “any”, which is fine
   7. Show in Address List = Defaults to “checked”, which is fine
   8. Comments = Optional. Anything you want.
2. Create a new address for the EXTERNAL (public) device IP Pool
   1. Navigate to:  Policy & Objects > Objects > IP Pools
   2. Click the “Create New” button
   3. Name = Anything you want, something descriptive.  Remember this, you need it in Step #3.
   4. Comments = Optional. Anything you want.
   5. Type = Select “One-to-One”
   6. External IP Range = Just enter one public IP address.  Put the same IP address in both fields (this means you’re only defining ONE IP address, instead of a RANGE or block of IPs)
   7. ARP Reply = Uncheck this  (defaults to checked)
3. Create an outbound policy to connect the two IP addresses
   1. Navigate to:  Policy & Objects > Policy > IPv4
   2. Click the “Create New” button
   3. Incoming Interface = internal (or whatever internal VLAN, interface, etc. you need to apply this to)
   4. Source Address = Select the name that you specified in Step #1
   5. Source User(s) = Normally you’ll want to just leave it blank/default
   6. Source Device Type = Normally you’ll want to just leave it blank/default
   7. Outgoing Interface = Select the correct external WAN interface that the public IP is connected to
   8. Destination Address = all
   9. Schedule = always
   10. Service = ALL
   11. Action = ACCEPT
   12. Firewall / Network Options
       1. Make sure NAT is turned “ON”
       2. Use Dynamic IP Pool = Select the name that you specified in Step #2
   13. Make sure that “Enable this policy” is turned “ON”
   14. In the IPv4 Policy summary page, drag your new rule up to the top, above the generic “all – all – always – all” outbound allow rule.  FortiGate applies policies from top to bottom.

 
NOTE:  The FortiGate ARP tables last for quite a while, so if you are testing your outbound IP NAT to an external website (like www.whatismyip.com) then you need to completely close and restart your browser sessions, or reboot your test computer, or reboot the router, or wait for the router’s ARP tables to expire.  I just found that visiting multiple different “show your IP” websites was easiest.

Đọc tiếp