I've never used it. Does this actually replace AD and group policy effectively? Does it manage updates properly? Can it handle compliance tasks?

I've used other things that claimed to in the past and none came anywhere close in practice. They all turned out just to be LDAP with some NT4 style policies for windows and very little at all for the Linux clients. It was like traveling back in time to the Windows 2000 era of management.

There never will be a 1 for 1 replacement because the two systems have different approaches. Why would you want a direct replacement when you could have something better?

GPOs are a windows thing and don't apply to other systems. The generic equivalent is configuration management, for which there are many solutions. Linux updates are much easier than windows updates, and many linux systems now use immutable and atomic updates by default, which further reduces risk.

For directory, openLDAP just does LDAP. DNS is done with Kea or Unbound.

Fundamentally the issue is a lack of familiarity. The only way to become familiar with a system is... to use it.

> Does this actually replace AD and group policy effectively?

I do not know. They probably evaluated the solution before they made the decision.

In any case, continuing to use AD seems out of the question. Relying on US based software in 2025 and beyond is simply not a viable option for any administration that values its sovereignty. The US isn’t even hiding its hostility.