What are the main diffrences between these two implementations of LDAP protocol? Which is better for heterogenous environment? Any good websites about this topic?
For hetrogenous environments you want to use a general-purpose server such as OpenLDAP. The advantage of AD usually is that it already contains user accounts for your internal users - these can be kept in synch with separate LDAP server though this adds complexity.
As far as specifics of the protocol go, the docs for Oracle Virtual Directory have a pretty good summary. (OVD is a product that can be used to proxy AD and translate some of its quirks into a more standard interface.):
http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG
Ranging Attributes Attributes in Active Directory and ADAM with more then 1000 values are returned 1000 at a time with a name that includes the range of values that were returned (or 1500 for Windows 2003). The range is returned to the client in the form: member;1-1000: somevalue In order to get the next thousand entries, the client application must somehow know to repeat the query and request the attribute member;1001-2000. This requires applications to handle Microsoft Active Directory in a special way compared to other directory products.
Password Updates Microsoft Active Directory and ADAM have special rules around how the password of a user may be updated by using LDAP:
- Passwords may only be updated via secure SSL connection.
- If a user is updating their own password, the original password must be included in a modify delete with the new password being a modify add in the same modify operation.
- Only an administrator may reset the password of a user without knowing the previous password.
- Active Directroy does not use the userPassword attribute, it uses the unicodePwd attribute (which is quoted-UTF16-hex-padded-base64 encoded).
ObjectClass Mapping Most LDAP directories use the inetOrgPerson and groupOfUniqueNames object classes for users and groups. Microsoft Active Directory uses the user and group objectClasses with attributes specific to Active Directory NOS requirements of Microsoft."
These are some of the main ones but there are others.