Ask HN: Self-hosted AD/Entra ID alternative that works with Windows and Linux?

2 points by marenkay 151 days ago | 8 comments

I'm working on an open-source identity platform (Rust, AD-compatible, native OIDC) and trying to figure out whether this is a real problem or something I've convinced myself matters.

The idea is: replace Microsoft AD/Entra ID with something you can self-host, that handles Windows domain join AND Linux login AND modern auth protocols.

Current options seem to be:

- stay with Microsoft AD (the original beast) - Samba AD (works but painful, no modern protocols) - UCS/Zentyal (wrap Samba, heavyweight) - Keycloak/Authentik/etc (no Windows domain support)

My questions:

- How do you handle identity across Windows and Linux today? Is it painful? - Have you actually looked for alternatives, or is AD "good enough"? - Would sovereignty/self-hosting be a important for you, or is that just talk?

I am having a lot of fun building and using this but I severely wonder if this is just a me problem. Help a guy out? :-)

lucideng 150 days ago |

AD/Entra is pretty good in my experience working with it. Self-hosting Entra is basically running a Windows Server + Domain Controller, or one of the alternatives you mentioned. Not something I would typically recommend to a customer unless they already had it running and were experienced in it.

IMO, the best way to "handle identity across Windows and Linux" is Microsoft's own tools. You can join Windows, Mac, and Linux machines into Entra now. For $8 a month you can get an F3 license for a user. This gets you the MS Office Suite (web only) plus Intune/Endpoint Management for 5 active devices, licensed Windows 11 Enterprise (good for machines without an included windows license), the ability to control Device Policy and Conditional Access Policy. The F1 license ($2.25) might work, but don't quote me on that (read-only office, no mobile apps, no Windows Hello for Business).

Mac and Linux machines aren't as robust as Windows for endpoint management. But the core features you'd want are mostly there. Apple business manager is needed and has to be paired with Entra, but it's not completely terrible. The Microsoft documentation is actually very helpful here.

marenkay 150 days ago | |

Fair point - Microsoft has definitely made it easier for cross-platform deployment with Entra ID, and for many orgs the F3 license math works out.

May I ask, has the fact that the data and service is under US residency and subject to US laws ever been an issue for you? That's the niche I'm trying to understand - whether it's big enough to matter or just an odd edge case.

reliefcrew 151 days ago |

> Have you actually looked for alternatives, or is AD "good enough"?

TBH, I always thought YP/NIS was good enough... but I live in a tiny bubble. Obligatory:

https://xkcd.com/927/

P.S. Your cert for https://kogito.network/ is expired :(

marenkay 151 days ago | |

Honestly, I wish I could stick with LDAP forever, it just worked. But no. My first setup in 2004 was OpenLDAP all the way for every service.

I am moving to a new server over Christmas, thanks for telling though :-)

reliefcrew 151 days ago | | |

Yeah, it's a big world and it has a clever way of getting what it wants. On a serious note I'd say you'll just have to balance your design w/ what people are willing to pay for. You probably know this already though :-)

Enjoy the new server!