Active Directory vs OpenLDAP

Here are some differences I know off the top of my head. OpenLDAP could be called a generic LDAP server similar to many other vendor's LDAP servers (Fedora DS 389, Oracle Internet Directory, IBM Tivoli Directory Server). Active Directory is a bit more customized for a Microsoft product suite (ie: running a Microsoft domain). There are pros and cons of each.

OpenLDAP is empty after installation and has no structure (called a DIT). It doesn't even have a root entry out of the box. AD is going to ship with a basic structure and has the GUI tools ready for you to start populating users. OpenLDAP and others expect you to create the DIT by hand so you'll have to design a structure. So you'll have to plan out where you're going to put your users, groups, roles and think about ACLs or branch delegation if your project involves things like that. For example you might have a domain for widgets.com. In AD the shipped structure will look something like this:

+ dc=widgets,dc=com
|-- cn=Computers
|-- cn=Users
|-- cn=Groups

In OpenLDAP (or other vanilla implementations), you can design your DIT in many ways. You can follow the domain component (dc=foo,dc=bar) convention or you can use something organized by geographic region (o=foo,c=bar). It doesn't matter a whole lot but you should go with one or the other. AD uses the DC convention and doesn't give you a choice but other LDAP servers can follow either convention. If you're trying to fit into a big MS domain, I'd stick with DC convention for consistency and ease of integration. But for this example we'll pretend our company organization (o) in one country (c) with no regions or units (ou):

+ o=widgets,c=us
|-- cn=Machines
|-- cn=People
|-- cn=Groups
|-- cn=Roles

Then you can extend your schema if need be. If you want to extend your AD schema, AD will require you to add schema elements via the Active Directory Schema Editor MMC console plugin (make a custom MMC). After that, it's pretty straightforward. Define your attributes first and then your objectclasses. OpenLDAP requires you to write an LDIF (also requires attributes first and then objectclasses). Or use Apache Directory Studio with OpenLDAP which is an awesome GUI and admin tool and makes OpenLDAP near-AD ease of use.

AD doesn't let you query everything on 389 anonymously. If you want to get schema information (called the catalog) you have to query on 3289 and authenticate. This reminds me of LDAP's DIB vs DIT hiding but I don't know if AD is trying to do the same thing here.

AD has a default query limit of 10,000. If you want to suck down everything in one shot you have to use paging controls on your client or in your code or modify the default query limit on the domain controller you are searching. Note that paging controls can be problematic. I'd gotten them to work in java using the Netscape libraries but some LDAP clients don't seem to work correctly even though they claim they support paging controls (YMMV).

AD's authentication is a little strange. You can authenticate as an email formatted username (-D username@domain) or you can use the full user DN. If there's a way to do this in OpenLDAP, I don't know how to do it but I wouldn't bother. This is odd compared to other LDAP servers. Plain LDAP usually follow the DN format (cn=username,cn=Users,o=widgets,c=us).

I guess in short, AD is opinionated and OpenLDAP is generic. And because of that, AD is easy to stand up but OpenLDAP can be more flexible.