Microsoft® Active Directory® has been the most popular identity and access management (IAM) solution in the directory services (now often called an IdP, or identity provider) category for over two decades. Times have changed and IT has shifted to heterogeneous platforms and the cloud. Device management is no longer optional, because identity is the new perimeter.These requirements can be costly if you follow Microsoft’s Azure roadmap, and as such many organizations may opt for open source alternatives. This article explores the options and how they work.
The identity management category has produced a limited array of open source solutions, and they are often focused on a particular problem set. Whereas Active Directory has served as a general purpose directory solution that the vast majority of small and medium-sized enterprises (SMEs) can use to manage Windows devices, users, printers, services, and security groups. Neither of these options has integrated cross-OS device management to protect identities.
It’s possible to assemble an open source stack to do all of these things. Microsoft requires IT shops to subscribe to its Azure Active Directory (AAD) and Intune endpoint management services. There’s a cost involved in either scenario whether it’s indirect through having to manage IT infrastructure for open source servers or Microsoft’s subscription licensing fees. IT also faces the continual challenge of managing identities through their entire lifecycle.
Let’s first examine what open source alternatives are available for Active Directory (AD), where AAD fits, and a few open source projects that assist with managing users and entitlements.
Open Source Alternatives to Active Directory
In the identity and access management arena there are a number of open source solutions that could be helpful. OpenLDAP™ (supported by our friends at Symas) is the most well known, and there are others such as Samba and FreeIPA. Each of these solutions comes with their own set of strengths and weaknesses.
OpenLDAP is the most popular LDAP server today. It is highly flexible, scalable, and focused on providing core directory services to resources that leverage the LDAP protocol. The challenge with OpenLDAP is that many IT resources prefer other protocols such as SAML, RADIUS, OAuth/OIDC, and even native integrations. So, while OpenLDAP can be the base directory service for an organization, they also may need to find other solutions to authenticate to web applications, networking equipment, and other IT resources. OpenLDAP quickly became one of the leading open source directory solutions when it was introduced.
Samba is best known as a file and print service for non-Windows platforms. It serves somewhat as a directory service/domain controller, and is often utilized in conjunction with Active Directory to extend it to non-Windows® IT resources. Samba is usually not used as a stand alone solution, so the challenge with this open source option is that IT admins still end up having Active Directory in their environment in addition to identity management solutions for single sign-on (SSO).
FreeIPA is focused on managing Linux users and hosts. FreeIPA is a combination of LDAP, Kerberos, DNS, and more. However, FreeIPA is rarely used on its own. Much like Samba, FreeIPA is often leveraged in conjunction with Active Directory or other IAM solutions. So, FreeIPA doesn’t have a reputation for being a standalone directory service.
These can be extremely useful platforms for SMEs, but they’ll ultimately need additional components in order to completely manage and connect users to their entire portfolio of IT resources. For instance, OpenLDAP and Samba don’t include GPO-like policies to manage your Windows fleet like AD does. It’s also rare that users will be working exclusively on a Windows PC, so it’s also important to somehow manage Android, Apple, and Linux devices.
These popular open source solutions can be cloud-hosted, but are more often than not run on-premises. Security conscious organizations would also be well served by integrating a Free and Open Source (FOSS) multi-factor authentication (MFA) component into their stack. The downside is that having more servers and apps increases your management overhead as well as the potential cyberattack surface area. The next section overviews several open source device management solutions.
Headwind is an open source mobile device management (MDM) platform that manages, monitors, and only supports Android devices. It’s on-premise, which makes external users dependent on SASE, VPN, or ZTNA systems.
Flyve MDM is another Android-only MDM that manages, monitors, and tracks your devices. The community edition is hosted on-premise with commercial editions also running in the cloud.
OneMDM is another open source MDM for Android only. It runs on Linux infrastructure.
These platforms must be integrated with a directory infrastructure and whatever SSO solution you’ve adopted. The software is free, but the work will consume IT’s time and resources. There’s also a lack of truly cross-OS open source device management software, which could leave some of your devices unmanaged. Devices without a baseline security posture shouldn’t access your resources, especially as there are more laws with penalties for data breaches.
Identity Lifecycle Management
Disparate systems and device management platforms create siloed identities and authentication mechanisms. It’s important for SMEs to automate and scale identity management as much as possible. Afterall, resources, like time, are limited. There are a few standalone open source projects that focus on identity governance and managing user lifecycle events.
Apache’s Syncope platform is an open source system identity lifecycle management system. It provides identity and access management, provisioning/deprovisioning, and more. Its setup involves many steps that could consume significant IT resources.
The OpenIAM project focuses on managing the full user lifecycle with features such as auditing and access review, certification, delegated administration, workflows, provisioning/deprovisioning, and more.
Unfortunately, none of these directory, device management, and identity lifecycle management projects provides a holistic approach to identity management. They also don’t come pre-integrated. That makes assembling a modern, cross-OS alternative to AD/AAD very challenging.
It’s Not Just About Open Source
A true Active Directory (and Azure) alternative not only takes on the responsibility of managing the availability, maintenance, and configuration that is part of being a directory service, but also extending user access and management to a wide range of IT resources through multiple protocols (as well as managing your endpoints). An integrated cloud directory platform can streamline work for IT admins, giving them more time to focus on higher priority organizational initiatives and the capacity to streamline identity lifecycle management.
Open Source Active Directory Alternative — JumpCloud
Fortunately, JumpCloud’s open directory platform unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys.
The platform treats identities as the new perimeter, and password management is one element of that. Secure, frictionless access is fundamental for IT organizations, and is why JumpCloud ensures that every resource has a best way to connect to it. For example:
- Servers use SSH keys, which are more secure than passwords.
- Passwordless certificates can secure RADIUS Wi-Fi access.
- Web applications use SAML and OIDC for authentication.
- Conditional access rules for privileged access management.
Significantly, JumpCloud includes environment-wide MFA for every authentication method.
Additionally, JumpCloud is platform agnostic, so organizations can implement unified system management or MDM for any major OS (Android, Apple, Linux, and Windows). Managed devices are essentially secure gateways to your resources, and users are managed through the directory. JumpCloud handles the entire identity lifecycle from onboarding to access control, and uniquely, can help to automate user access to groups and applications when changes occur.
Discover More About JumpCloud
You are also more than welcome to start testing our cloud-based solution by signing up for a free account which gives you 10 users and 10 systems free along with 10 days of premium in-app chat support. You’ll be able to explore all of our features for free including all of our premium capabilities. Licensing is workflow-based, as opposed to feature-based.