OpenLDAP and pGina vs Active Directory (Using Samba4 Domain Controller)

Note: I know there are some questions talking about similar topic, but they were all a couple of years old, therefore I prefered to mention my exact situation to get the most proper solution according to the being time techniques. I want please to discuss some different cases to get whole understanding.

I want to manage a system of a company or a university (so medium and large scale cases), and I intend to provide the following services for the users of the system on an Ubuntu server: OpenVPN, Jabber, Git, FreeRadius, Email , Redmine and samba file sharing, etc... I want all the services to authenticate using the same username and password (so to fetch the username and password from a centralized authenticating system, OpenLDAP or Active Directory (with Samba4 as domain controller)). And I want to allow the clients to logon to the public PCs in the company or university using their same previous username and password, and those public PCs of the clients are a mixture of Windows, Linux, MAC, (and let's discuss the case, when we have just Windows clients, so NO mixture).

I used to use OpenLDAP to authenticate all the mentioned services, and to handle Windows login using pGina, over OpenLDAP and it was pretty good for me.

But I got confused when I started learning about domain controllers for windows using samba4, and I couldn't make a decision what is better for me, is it pGina, or is it Samba4 domain controller? Keeping in mind that in this case (Domain Controller) I cannot use OpenLDAP anymore, because I cannot authenitcate windows against OpenLDAP, but just samba4 AD (And I cannot run Samba4DC in parallel with OpenLDAP in the same server because they are both LDAP servers).

I know that in the being time I cannot make Windows Login authentication against OpenLDAP, but can't I make them somehow communicating with each other of use the benifits of them both (in case I need OpenLDAP to do something not available in AD)?

Do you advise to use OpenLDAP or Active Directory (Using Samba4 as Domain Controller) and why? (taking in consideration handling the authentication of all mentioned services and system login authentication using JUST ONE username and password for each client). What will I be able to do (and what not) if I used Samba4AD and not OpenLDAP (and the opposite case). According to what I understood from previous readings, they said that the advantage of AD is that it can manage groups policy in Windows. How can the groups policy exactly be usful for my case? and which alternatives do I have in case you advised to use OpenLDAP?

To summarize the main questions:

• In my case, is OpenLDAP prefered or Samba4AD DC to authenticate all services + clients login with the same username and password? (although I understand that I cannot authenticate windows with OpenLDAP but you might have some additions to say about that).
• What are the advantages of joining clients PCs to a domain controller by Samba4 instead of just using pGina?
• In case of lack of features in them both (something is provided in one and not in the other), what is the alternative solution to avoid that features lacking?

And Please keeping in concideration that I prefer the open source, supported and long term live solutions (logically).

Thank you in advance!

Thank you very much! So I can understand that I am able to do almost everything with Samba4 AD, but not with OpenLDAP (as it lacks windows-specific functionalities), is that right? And for any reason later (maybe samba supports OpenLDAP as backend), is it easy and practical to transfer my database from AD to OpenLDAP (and from OpenLDAP to AD)?

Depends on what "almost everything" is. We found that Samba worked fine for Redmine, OpenVPN and other apps to authenticate against. But moving your database from OpenLDAP to AD probably isn't easy... We didn't transfer ours, we created new accounts and wrote a script to extract just the password hashes from OpenLDAP and import them into AD.

So if I can authenticate one app against AD, why would I not be able to authenticate another one against it (ie why just redmine or OpenVPN and not openfir or git maybe)?

Ook thank you, that means in short sentence: OpenLDAP and AD give the same funcionalities, but the AD gives a little bit more (more functions for windows clients when they join the domain), is that right?