The thing is, that this isn’t entirely true. Sure AD is a directory service which uses the LDAP protocol and it uses kerberos for authentication, but…
AD is a very strict kind of Directory Service. It is not flexible when it comes to attributes (understatement) where OpenLDAP is highly flexible with attributes. I would love some insight comments by @Christian since he is one of the few that actually understands LDAP.
I was always told that in the MS world the domain is seen as a security boundary. All devices, services and accounts within this domain are managed on the Domain Controller through the AD. Besides that we should know what services we need on our network.
I think it is important to know what exactly are the similarities and what are the differences between OpenLDAP and Samba4AD.
What I found on my search for information:
The Similarities Between LDAP and AD
First, it’s obvious that LDAP and AD are both software implementations of directory services. They are also both hosted on-premises, in most cases. Further, both Microsoft Active Directory and OpenLDAP are fundamentally based on the LDAP protocol. Although most people don’t know that because AD mostly authenticates leveraging Kerberos. However, AD does have the capability to authenticate via LDAP as well. Both directories struggle connecting users to cloud computing infrastructure such as IaaS or Web-based applications.
The Differences Between LDAP and AD
Realistically, there are probably more differences than similarities between the two directory solutions. Microsoft’s AD is largely a directory for Windows users, devices, and applications. AD requires a Microsoft Domain Controller to be present and when it is, users are able to single sign-on to Windows resources that live within the domain structure.
OpenLDAP, on the other hand, has largely worked outside of the Windows structure focusing on the Linux / Unix environment and with more technical applications. OpenLDAP doesn’t have the same concepts of domains or single sign-on. OpenLDAP is largely implemented with open source solutions and as a result has more flexibility than AD.
Another critical difference between OpenLDAP and Active Directory is how AD and OpenLDAP each approach device management. AD manages Windows devices through and Group Policy Objects (GPOs). A similar concept doesn’t exist within OpenLDAP.
So, I think the choice should be determined based on needs. Scenario’s I can think of:
- Device management
- File Server
- BYOD
- Windows clients only
- Mix of clients
- Update management of your clients
Can you guys come up with more scenario’s