> Also, I want to note that AD is not a directory service, per se. It is an > authentication and authorization service, and does not follow the LDAP > RFC's very closely in a number of key areas. This can (and does) lead to > problems down the road if what you are truly looking for is a directory > service. > > --Quanah
In our own research at UTA we found this to be true. There are a handful of aspects that make AD problematic from the LDAP standpoint. It is also problematic when you want to use it even for Authentication and Authorization of machines not running Windows. While there are probably workarounds for everything, why not simply run software that works as expected and as dictated by RFC rather than spaghetti-code some workarounds? For our central authentication and authorization, we us AD for Windows but we us Kerberos and OpenLDAP for everything else. -- DK
