upvote

points

by ipython13 hours ago |
comments
upvoteby bzzzt12 hours ago|
next
[-]
Active directory is dying along with local computer networks. Microsoft is pushing customers to Entra (formerly Azure Active directory). Modern, hybrid AD is not easy to use and difficult to manage.
reply
upvoteby jabl11 hours ago|
parent|
next
[-]
There's https://himmelblau-idm.org/ for a Linux client for Entra. Haven't tried it myself though.
reply
upvoteby dijit11 hours ago|
parent|
next
[-]
Doesn't FreeIPA work with EntraID? I used to use it with Exchange and it worked pretty well.. (or, as well as any non-microsoft product that has to intergrate with Microsoft products at least).
reply
upvoteby bzzzt10 hours ago|
parent|
prev|
[-]
Looks nice, all it needs is an OSS server now ;)
reply
upvoteby dijit11 hours ago|
parent|
prev|
next
[-]
This is 100% the current situation, and it's worth mentioning because clearly you have a finger on the pulse here - and that needs to be stated for others.

But, I wonder if Microsoft might reverse their stance on EntraID being SaaS; with the handwringing about sovreignty from Europe.

Back when "the deal" was made with Microsoft to basically embed itself into the digital ecosystem of every government, major institution and company in Europe: it was not the case that a member of the european parliament could have their mail disabled arbitrarily by Microsoft- such a thing was technically possible through a lot of hoops but it was significantly less feasible.

If Microsoft was to reverse course then I'm sure it would stop all the handwringing, even if people would continue to use the EntraID product in reality.

reply
upvoteby bzzzt10 hours ago|
parent|
[-]
I don't see Microsoft backing down from their SaaS push: it's necessary for authentication and authorization in all their Office 365 (or whatever it's called now) applications, also on platforms not running Microsoft clients. Beside that Entra is an OIDC server which makes it possible to integrate other SaaS applications in a domain which is near impossible to do if you only have local authentication.

Of course, you can still run local AD which synchronizes with Entra, but that means you get the worst of both worlds: you are paying for the cloud software but still have to manage your own servers.

reply
upvoteby esseph11 hours ago|
parent|
prev|
[-]
> dying along with local computer networks

I have seen the exact opposite, with people moving to things like jumpcloud, keycloak, authentik, etc.

reply
upvoteby bzzzt10 hours ago|
parent|
next
[-]
Those are all apps running in the cloud. I meant the classic Windows AD company LAN like solutions where the clients, server and network are tightly coupled.
reply
upvoteby esseph6 hours ago|
parent|
[-]
> Those are all apps running in the cloud.

Authentik and others can be deployed as docker containers that can be deployed any way you wish.

> I meant the classic Windows AD company LAN like solutions where the clients, server and network are tightly coupled.

In any mixed environment these days of Windows PCs, MacOS, and Linux, yeah, you can use a SaaS like jumpcloud with support for all of them, or you can integrate them into the ldap/kerb backend of your choice. Bonus points if your network devices are using RADIUS auth to the same identity source.

reply
upvoteby amaccuish11 hours ago|
parent|
prev|
[-]
Jumpcloud is SaaS.
reply
upvoteby esseph10 hours ago|
parent|
[-]
Yes, but it's not Microsoft Active Directory or Entra, which was my point.
reply
upvoteby ElectricalUnion12 hours ago|
prev|
[-]
Ideally you want to run all those trusted (read: security critical, if compromised entire system is no longer trustworthy) processes on separated and audited machines, but instead busy people end up running them all together because they happen to be packaged together (like FreeIPA or Active Directory), and that makes it even harder to secure them correctly.
reply
upvoteby tremon12 hours ago|
parent|
[-]
There's a very good reason to package these things together on the same machine: you can rely on local machine authentication to bootstrap the network authentication service. If the Kerberos secret store and the LDAP principal store are on different machines and you need both to authenticate network access, how do you authenticate the Kerberos service to the LDAP service?
reply