[gtranslate]

When your Active Directory turns into a black box

Published on: August 6, 2025

What is this post about?
More and more organizations want to make their access and user management more independent, secure, and transparent – while also questioning their reliance on the cloud.

What do we do?
weSystems offers strategic and technical consulting to help organizations build modern, self-sufficient access management architectures. These are often based on open source technologies and, if desired, completely free of cloud dependencies.

Who should read this?
CEOs, CIOs, CTOs, IT architects, CISOs, or admins who wonder how many shadow accounts, uncontrolled permissions, or hidden security gaps might exist within their organization.

What is our sweet spot?
From initial assessments and authentication structure analysis to full design, implementation, and integration, we deliver comprehensive identity and access consulting with long-term vision.

What inspired this post?
A great project where we implemented FreeIPA for a client as part of a brand-new, sovereign IAM strategy. Not because it was trendy, but because it made sense in a well-thought-out architecture.

Cloud, control, or both?

User management works. Somehow. But only as long as no one looks too closely. In many companies, identity and access management is more of a background process than a managed one. Systems were added over time, logins were centralized, groups were created – but rarely reviewed in depth. Today, when someone asks who has access to what and why, the common answer is: “We’ll need to check.” That would be harmless – if it weren’t a security issue.

Many rely on central cloud services like Azure AD or Microsoft Entra ID. They offer convenience, integrations, and scalable management. But they also come with a major problem: complete dependency on external systems. If you need a cloud login just to run your internal network, you’ve already given up control. And that is where the real risk begins.

 

From symptom to architectural challenge

This was the starting point in our client project: authentication was handled entirely through Azure. It worked – technically. But it was expensive, hard to understand, difficult to control, and dependent on a single provider. In sensitive environments like research or industry, where networks often need to be isolated, this kind of dependency becomes a strategic risk.

Together with the client, we rethought the entire IAM architecture. Not just as a technology change, but as a strategic move. The question wasn’t, “Which tool should we replace?” It was, “How do we build an access infrastructure that is transparent, resilient, and independent?”

 

FreeIPA as a solution, not a buzzword

The technical solution in this case was FreeIPA – an open source project from Red Hat that serves as a free and cloud-independent alternative to Active Directory. It combines user and group management, role-based access control, certificate services, DNS, RADIUS, and multi-factor authentication – all in a locally operated system.

But the tool wasn’t the main point – the process was. We worked with the client to analyze which applications required central authentication, which ones had previously relied on the cloud, and how to migrate them cleanly. In many organizations, 90 percent of systems are tied to AD, while the rest run under the radar. Local admin accounts, custom roles in tools like Jira or Proxmox – there’s often no central overview or control.

We redefined the entire internal domain structure, created security groups, and introduced tiered permissions within applications. Today, access rights are clearly defined and conditions for access are transparent. WiFi access, server management, virtual machines, and network devices like OPNsense are all integrated into a unified and transparent IAM concept. Without the cloud – but with maximum control.

The real problem: lack of visibility

What many companies do not see (or choose not to see) is that their access structure has grown over time instead of being actively designed. It may function, but it is often undocumented.

Who has admin rights?
Who can create new users?
How many groups exist, and how many overlap?

These questions are rarely asked because they are uncomfortable or because no one has the answers.

There is a common belief that single sign-on solves everything. But SSO is just a login. What happens beyond that – who has which rights in an app, how roles are maintained, how passwords are transmitted securely – is often overlooked. Especially in hybrid infrastructures where LDAP, AD, SAML, OAuth, and local databases coexist, a patchwork of systems quickly becomes unmanageable.

The result: shadow accounts, excessive permissions, outdated user profiles, and, in the worst case, security holes no one is aware of.

 

What we deliver and why it goes beyond technology

At weSystems, our work starts where many others stop. We do not see IAM as just a tool issue, but as an architectural challenge. That is why we do not simply install FreeIPA – we deliver a complete consulting and implementation process: from the initial assessment and planning to full integration with your existing infrastructure.

In this specific project, we not only implemented FreeIPA but also redesigned the entire logic behind it: internal DNS zones, security groups with tiered access, integration of Authentik for modern SSO, an internal certificate authority, RADIUS for secure WiFi use, and a clear separation of responsibilities and permissions. The cloud was deliberately excluded, not out of principle, but because in this case, it added no real value, only dependency.

 

IAM is not a checkbox; it is the core of your security strategy

If you think identity and access management is only a topic for admins, think again. IAM is now a central part of every IT security strategy. It determines how resilient your company is against outages, attacks, or internal errors. It is crucial for audits, data protection, compliance, and ultimately for operational efficiency.

FreeIPA is not magic. It is not the goal itself. It is a tool that helps you build an infrastructure you can truly understand, manage, and develop on your own. No dependencies, no license pain, no loss of control.

If reading this made you realize that your access infrastructure has evolved rather than been designed, then talk to us. We are here not just to clean up the mess, but to rethink it with you. Strategically, pragmatically, and with an open mind for the right technologies. Because identity is the new perimeter. And it should be in your hands.

Contact us for a personalized consultation!

 

Write us!