Hi,

AD is just an umbrella name for a tool with has several protocols, normally slightly changed from the RFCs, and you can choose the one with fits better for your proposes.

If you choose a LDAP server, then the authentication and authorization is done by the LDAP server.

If you choose a AD server, then the authentication is done via kerberos or ntlm and the authorization is done via LDAP. This needs to your SA be registred in the AD. This could a good way to go, if you could enable Single Sign On in your environment with kerberos/ntlm.

The AD option is only usable for Microsoft Active directory connections while the LDAP can be used for any LDAP compatible server include Microsoft Active Directory.

If your authentication server is a Microsoft AD domain then use the AD option.

AD as stated is for use with Microsoft Active Directory domains while LDAP is a standards based solution that can be used with almost any LDAP based authentication solution, including against Microsoft AD.

As most companies run AD it might seem to be straightforward - use AD as your AA choice. However it really boils down to how do you want to perform your authorization. Authentication is straightforward and either choice works.

For role assignment AD limits you to using security groups. IE - if member of security group "X" then role "Y" - which in many cases works just fine.

However with LDAP you have the entire set of directory objects available to you. IE - if member of department "Y" and residing in state "X" and your middle initial is "J" then assign to role "A" 

So LDAP gives you much more flexibility in using directory attributes for role assignment. 

In the more recent releases, you have the option of enabling ldap on active directory auth servers.  I'm not sure what this allows you to do since I haven't used it.