JIT
NL
← Notebook
Idea notes IdentityArchitectureSecurity

Could open-source IAM replace Active Directory and Entra ID?

Where midPoint plus Authentik can replace the Microsoft identity stack in a hybrid Windows/Linux shop — and where it can't. A thought experiment, not a build.

A question that keeps surfacing when someone wants out from under Microsoft licensing: in a mixed Windows/Linux shop, can an open-source stack do the job of Active Directory and Entra ID? My short answer is “most of it, with one stubborn exception” — and since nobody’s actually asked me to build it yet, I’m writing it down as a design I’d reach for if the need ever lands.

Filed under ideas-on-the-shelf — a concept worth working out further if a client need arises, not something I’m running in production today.

Two tools, two different jobs

The pairing people reach for is midPoint and Authentik, and the trick is that they don’t overlap. midPoint is an IGA engine — joiner/mover/leaver, role modelling, access reviews, provisioning into other systems. It never logs anyone in. Authentik is the IdP — OIDC, SAML, MFA, and an LDAP outpost that Linux boxes authenticate against. So midPoint decides who should have what and pushes it everywhere; Authentik is the front door. I already run Authentik with an LDAP outpost for my own Linux fleet, so that half isn’t theoretical.

Where it breaks: Windows

This is the catch. Authentik’s LDAP outpost does bind auth — perfect for SSSD on Linux, useless for joining a Windows machine to a domain. Windows wants Kerberos, the AD schema, and Group Policy, and Authentik speaks none of it. So: replacing Entra ID’s SSO and governance is clean. Replacing AD for Linux is better than AD. Replacing AD for on-prem Windows? You still need a domain — keep a slim AD, stand up Samba AD DC, or move those endpoints to Entra join + Intune.

The shortlist if it ever gets real

  • FreeIPA for serious Linux/Kerberos estates, joined to AD by a forest trust.
  • Keycloak instead of Authentik where enterprise scale and battle-testing matter more than the LDAP/RADIUS outposts.
  • Apache Syncope as the lighter IGA alternative to midPoint.

The honest verdict: it’s a genuinely good stack for a sovereignty-minded, Linux-leaning client — and more moving parts than a Windows-only SMB needs. So it stays parked, fully specced, until someone needs it.