Ask HN: Self-hosted AD/Entra ID alternative that works with Windows and Linux?

I'm working on an open-source identity platform (Rust, AD-compatible, native OIDC) and trying to figure out whether this is a real problem or something I've convinced myself matters.

The idea is: replace Microsoft AD/Entra ID with something you can self-host, that handles Windows domain join AND Linux login AND modern auth protocols.

Current options seem to be:

- stay with Microsoft AD (the original beast) - Samba AD (works but painful, no modern protocols) - UCS/Zentyal (wrap Samba, heavyweight) - Keycloak/Authentik/etc (no Windows domain support)

My questions:

- How do you handle identity across Windows and Linux today? Is it painful? - Have you actually looked for alternatives, or is AD "good enough"? - Would sovereignty/self-hosting be a important for you, or is that just talk?

I am having a lot of fun building and using this but I severely wonder if this is just a me problem. Help a guy out? :-)

2 points | by marenkay 11 hours ago

2 comments

  • lucideng 32 minutes ago
    AD/Entra is pretty good in my experience working with it. Self-hosting Entra is basically running a Windows Server + Domain Controller, or one of the alternatives you mentioned. Not something I would typically recommend to a customer unless they already had it running and were experienced in it.

    IMO, the best way to "handle identity across Windows and Linux" is Microsoft's own tools. You can join Windows, Mac, and Linux machines into Entra now. For $8 a month you can get an F3 license for a user. This gets you the MS Office Suite (web only) plus Intune/Endpoint Management for 5 active devices, licensed Windows 11 Enterprise (good for machines without an included windows license), the ability to control Device Policy and Conditional Access Policy. The F1 license ($2.25) might work, but don't quote me on that (read-only office, no mobile apps, no Windows Hello for Business).

    Mac and Linux machines aren't as robust as Windows for endpoint management. But the core features you'd want are mostly there. Apple business manager is needed and has to be paired with Entra, but it's not completely terrible. The Microsoft documentation is actually very helpful here.

  • reliefcrew 10 hours ago
    > Have you actually looked for alternatives, or is AD "good enough"?

    TBH, I always thought YP/NIS was good enough... but I live in a tiny bubble. Obligatory:

    https://xkcd.com/927/

    P.S. Your cert for https://kogito.network/ is expired :(

    [-]
    • marenkay 10 hours ago
      Honestly, I wish I could stick with LDAP forever, it just worked. But no. My first setup in 2004 was OpenLDAP all the way for every service.

      I am moving to a new server over Christmas, thanks for telling though :-)

      [-]
      • reliefcrew 10 hours ago
        Yeah, it's a big world and it has a clever way of getting what it wants. On a serious note I'd say you'll just have to balance your design w/ what people are willing to pay for. You probably know this already though :-)

        Enjoy the new server!

        [-]
        • marenkay 9 hours ago
          Thanks! I sure will, its my first own rack in a new data centre actually :-) kinda a long-term member of the homelab movement
          [-]
          • reliefcrew 8 hours ago
            Sweet. I think you're making a good move. Best to own the kernel of your infrastructure... then rely on cloud services as growth allows.

            That's why I went through this exercise a couple of years ago:

            https://news.ycombinator.com/item?id=35066894

            [-]
            • marenkay 8 hours ago
              That's the plan. I still have to figure out a lot but it's fun!