> AD *is* a modified/extended LDAP+Kerberos based system, it just adds a > ton more proprietary stuff around it to manage Windows workstations, the > whole Group Policy Object stuff etc etc. Thats all implemented via > LDAP extensions. I'm sorry, with all due respect I disagree. There is an unfathomable quantity of functionality not accessible via LDAP. You can query some aspects made available through the LDAP interface, you cannot set nor modify plenty.