By Kayla Coco-Stotts Posted October 23, 2019
Amazon® Web Services (AWS®) makes cloud-based infrastructure a reality, providing IT professionals with the opportunity to build and run applications without the hassle of managing servers on-prem, networking, storage, and much more. In short, AWS wants to eliminate your data center and all of the hassle that comes with managing that IT infrastructure.
With such a useful platform, it begs the question: Can you integrate AWS with LDAP in a simple, secure way?
What is AWS?
Amazon Web Services is an Infrastructure-as-a-Service (IaaS) platform that launched in 2006. It offers a broad range of cloud-hosted solutions, including compute power, data storage, network infrastructure, and much more. It also features simpler/quicker implementations and reduced costs compared to legacy, on-prem data centers.
AWS works as a cloud-based, pay-as-you-go alternative to on-prem servers that allows organizations to move data centers entirely to the cloud. With their information/applications safely stored and managed via AWS, organizations can free up time and money they would’ve spent maintaining on-prem data centers.
What is LDAP?
The Lightweight Directory Access Protocol (LDAP) works as one of the core authentication protocols leveraged by directory service. LDAP works to authenticate users to their IT resources, and was developed initially to replace the Directory Access Protocol (DAP). It quickly became one of the industry standards for identity and access management (IAM), saving time and resources for IT admins around the globe.
LDAP authentication follows the client/server model, with an LDAP server storing username and password information as well as attributes like address, phone number, and group associations. An LDAP client — i.e. an application or system — will access the LDAP server and request information and/or authentication for a user’s identity.
Integrating AWS with LDAP
The problem with AWS is that it struggles with identity and access management and directory services, making it limited in its delivery. AWS does have AWS IAM, which allows IT admins to create and manage AWS users and groups, but when it comes to operating systems (Windows®, Mac®, Linux®), networks (wired and WiFi), applications (SAML and LDAP), or anything that lives outside the breadth of AWS, IT admins require additional resources.
Instead of managing AD and AWS separately, there exist ways for integrating AWS with LDAP so that IT admins can implement single sign-on for a simpler user interface.
Authenticate AWS Infrastructure Through OpenLDAP
You can authenticate AWS infrastructure through your own OpenLDAP instance hosted at AWS. However, this process is time-consuming, intensive, and ultimately produces, generally, at least two sources of truth for identity authentication within an organization.
Usually an organization stores their identities within an on-prem Active Directory instance. So, when an LDAP instance is placed in AWS to authenticate AWS cloud servers and other resources, the challenge becomes managing both of those identities. Sysadmins can bridge the on-prem AD instance with the AWS hosted LDAP server, but that requires additional work, security considerations, and ongoing monitoring. While many organizations take this approach, in the modern era of cloud identity management, there is really no reason to accept this relatively heavy approach.
Integrate AWS with LDAP through AD
In addition to hosting an OpenLDAP service, system admins can integrate AWS cloud infrastructure through LDAP authentication with an Active Directory instance. There are a number of options for this approach as DevOps engineers can manage their own Active Directory instance hosted at AWS or leverage AWS’ Directory Service which is a managed AD service. Of course, the challenge with this approach is that Active Directory – even with LDAP – struggles with non-Windows resources. Most servers in AWS are Linux-based and other services are also Linux flavored, so this can be a less than ideal approach.
This approach can be further complicated if there is an Active Directory instance on-prem that manages an organization’s on-prem infrastructure. Ideally, the IT and DevOps teams will need to connect these two Active Directory locations together so that there is only one authoritative identity source.
If there is no AD instance on-prem, then connecting an AWS hosted Active Directory solutions does not easily allow users to leverage their credentials for on-prem Windows, Mac, and Linux systems, WiFi and VPN networks, and web applications. Remember that whenever AD is involved, LDAP is not its preferred authentication mechanism, so you will be generally forced into Kerberos unless you configure LDAP.
Leverage True Single Sign-On™ with a Cloud-Based Directory
Ideally, an identity provider (IdP) should connect users to their AWS cloud services and tie into their other disparate IT resources using a singular set of credentials. In this scenario, the IdP would eliminate the need to manage multiple disparate identities as described above. Of course, some organizations are tied to Active Directory on-prem, and for those, having a cloud-based identity bridge to AWS that can leverage LDAP (and a variety of other protocols) is an ideal way to have a single identity and avoid the hassle of either self-managed Active Directory or LDAP hosted at AWS.
The IdP should enable a wide range of authentication mechanisms including SSH keys and MFA alongside LDAP, RADIUS, SAML, and OS-native authentication protocols. It would be a one-stop shop for all authentication needs without the need to pay for third-party identity management add-ons, as well as being easy to implement.
JumpCloud’s Directory-as-a-Service (DaaS) is a cloud-based IdP that allows for authenticating AWS infrastructure via LDAP and other IAM protocols like SAML for web applications. DaaS manages and controls user access from one central, cloud-based directory service that works for heterogeneous systems, services, and networks.
Interested in freeing up time and space by leveraging True Single Sign-On for your users? You can schedule a personalized demo or try DaaS for free by signing up for a JumpCloud account. Your first 10 users and systems are free forever.