Hacker News new | ask | show | jobs
by KronisLV 1479 days ago
> Now that almost everything is accessed by a web browser... what do you even need Active Directory for?

What about signing in with your firstname.lastname account, with the particular web app talking with the AD server through something like LDAP?

Thus, your credentials for all of the integrated software should be managed centrally, in the particular AD server or a similar solution.

Or maybe even SSO with something like Kerberos or an alternative?
1 comments
chrisseaton 1479 days ago
There a tons of free SSO services, such as Google.

And why do you need to control people’s laptop login? That can be local.

link
KronisLV 1479 days ago
> And why do you need to control people’s laptop login? That can be local.

Some organizations might want to ensure that your account follows certain policies in regards to the password expiry dates or how "secure" they are.

Furthermore, if you leave an organization, they might want to remove all of your access credentials to all of the linked platforms/devices in one fell swoop.

While you are in the organization, they might want to allow you to use certain pieces of software (say, GitLab, Nextcloud, Mattermost, anything that talks LDAP) by giving you a particular group membership, such as everything for PROJECT_X/CLASS_X and so on.

Similarly, when a certain platform requires user credentials, they might also want to explicitly allow this platform to integrate with their account management software, by giving it certain credentials to talk to the AD server, which can later be revoked.

Oh, and password resets are also nice to centralize, in case you ever screw up.

Sometimes their hand might also be forced due to compliance reasons: imagine Google basically owning your company and information about all of the accounts/devices due to them having the actual data.

link
hirako2000 1479 days ago
The argument is that because so much is now cloud services in the browser, it makes centralised AD far less holistic hence better assess the cloud services settings for compliance. There is some truth and risk in that, go reset the password of those 3 services not supporting SSO. Reality about security is to deal with the admin trouble, MS isn't removing processes, education, trust, and their costs, it likes to give the impression that it does hence asking you money for removing the difficult invonvenience of actual security needs
link