I need a suggestion about having AD DS or AD LDS for my infrastructure.
I have a website which as of now do not have any log in facility for the visitors, now we are developing a new application so that the visitors can create account on the website. the best example you can think of is of any telecom service provider, they have their webiste and now is creating a login facility for it's customers so the users can create an account and can subscribe for ebill sort of facilities.
Hope the situation is clear now. For this particular application, I intend to have a web server, an application server, a DB server, one SMTP server and one AD server(for authentication of users and for saving the profiles also).
My question here starts on AD front, here do i need AD DS or AD LDS here, what i need from AD is
- provide user authentication
- provide role based access.
This is my query.
As Rajeev has pointed out in comments, Active Directory IS an LDAP server and more, and the AD LDS service is a "free" Windows Server role that is provided to do specifically what he is looking for. AD provides many extras (replication, Kerberos, federation, etc.) that you would have to build on your own with a Free/OSS solution like OpenLDAP+postgres+kerberos. There are other (primarily commercial) directory services which have similar abilities.
Licensing should probably not be an issue. You are probably going to have AD installed if your deployment is going to be primarily Windows-based (for the computer accounts, admin accounts, etc.), and this will be relatively small (looks like a 5-user CAL at most). Any "user" objects that you create in LDS for your public users will not be counted against the licenses for your AD DS accounts. You can contact Microsoft Licensing to verify this.
Using AD LDS definitely has some great benefits, your proposed installation may be too small to realize some of them though.
All that said... If you don't have any particular experience with AD, and don't have any particular infrastructure already in place to handle it, you may not see much benefit by going this route. Based on the size of your described deployment, you could almost certainly go with an OSS setup like LAMP + OpenLDAP, depending on your comfort-zone and what you are application requirements are.
Keep in mind that if you are doing any kind of user management, then you are going to very, VERY sorry if your approach is just "stick a bunch of user names and passwords in a SQL table." User management is a complex process that has already been solved countless times before. Handling passwords is something you just should not be doing unless you already have lots of experience in security related programming. Please don't roll your own!
Find a suitable commercial or OSS framework that has been designed already to handle AAA* correctly, something like OpenID is probably not a terrible idea. Jeff Atwood's blog (he runs a website, you may have heard of it...) has a number of posts discussing these issues around his work on StackOverflow and ServerFault.
Any way, I hope this discussion helps.
YOu do need to learn programming, but you do not need ANY AD implementation. Most websites have their own user database in some database (SQL that is) and do not rely on AD.