By Vince Lujan Posted September 20, 2017
One of the hottest categories in the current IT market is the Cloud Identity and Access Management (IAM) space. The reason? The transformation of IT from a Microsoft-centric ecosystem to mixed platform and provider (e.g. AWS, GCP, Azure AD) environments are driving a new era of identity management from the cloud. One particularly intriguing aspect is the cloud IAM feature Linux user management.
Linux has become the most popular choice of operating system for servers in data centers around the world. Many developers are also starting to leverage Linux on their personal machines to match. The dilemma that a lot of IT admins run into is that Microsoft Active Directory® (AD), which has never played nicely with Linux (or Macs for that matter), is still the primary solution for managing access to IT resources. Fortunately, new cloud IAM alternatives to AD are changing all of that.
Legacy IAM Solutions Feature Limited Linux User Management
The IAM space historically has been driven from on-prem directory services solutions such as AD and OpenLDAP. For AWS Linux instances, many DevOps organizations are leveraging Chef and Puppet to manage users, but that doesn’t work at scale. While these solutions are somewhat capable of managing Linux, none of them are all that user friendly.
For example, any IT admin will tell you that Active Directory doesn’t manage Linux users the way it does Windows users. While a Linux device can authenticate users to Active Directory with some configuration and effort, managing users on the device can be challenging. Further, while AD executes Group Policy Objects (GPOs) on Windows machines, the equivalent doesn’t exist for Linux within AD. Therefore, IT admins are unable to deploy commands and scripts to set policies on Linux systems the way they would with Windows, not to mention manage user access. This should really come as no surprise – you can’t use GPOs with Macs either, nor manage user access. Linux is a competitor to Windows after all. The trouble is that IT admins are often caught in the middle.
The other traditional option is OpenLDAP. Linux can work well with OpenLDAP, but that requires another directory service and more work (OpenLDAP struggles with Windows and Mac machines). OpenLDAP doesn’t come in a neat little package like AD. Instead, OpenLDAP relies on savvy IT admins to implement, maintain, and secure the entirety of the directory service. That translates to hours if not days of work to manage users and systems granularly. While it can be done, it presents significant challenges – you’ll want to be highly proficient with OpenLDAP and have the infrastructure on-prem to keep the identity provider up and running 100% of the time. Considering the fact that Linux is primarily used for DevOps infrastructure and data centers, the fact that OpenLDAP works well with Linux, but not with Macs or Windows devices defeats the purpose of having one central identity provider.
Directory-as-a-Service Features Full Linux User Management
With Linux dominating the data center space and AWS growing so quickly, Linux user management is a major pain point. Fortunately, a new breed of cloud identity management platform is emerging to solve the problem. Directory-as-a-Service® can accomplish this in two primary ways.
The first is designed for organizations that are not ready to make the break from AD. For these organizations, AD is so dug into their infrastructure that uprooting is unfeasible in the short term. That is why Directory-as-a-Service features a cloud identity bridge to extend Active Directory to Linux. This functionality is called AD Integration.
The purpose of AD Integration is to allow AD to remain the authoritative source of truth for user identities while extending those identities to non-Windows systems and resources, such as Linux devices. It works by installing a lightweight agent, called AD Import, on Linux systems and AD domain controllers, which allows JumpCloud to federate AD identities to just about anything the IT admin sees fit.
The added bonus of using JumpCloud’s AD Integration is that admins can also leverage the full functionality of the Directory-as-a-Service platform and write back changes into AD using AD Sync. For example, DaaS features GPO-like capabilities for Mac and Linux machines. That means that Linux can now be managed with policies that were previously unavailable to them with AD alone.
Of course, if an organization has little to no investment in on-prem infrastructure like AD or even OpenLDAP, then it will likely make more sense to realize the true potential of Directory-as-a-Service as the first comprehensive cloud-based directory service. That is the power of a flexible platform that was designed to be OS agnostic and cloud-based from the ground up. All IT admins have to do is sit back and enjoy seamless user and device management across all of their resources.
Learn More About JumpCloud IAM
To learn more about how the cloud IAM feature Linux user management with Directory-as-a-Service, drop us a note. You can also sign up for a free account and demo the full functionality of our IDaaS platform. Your first ten users are free forever.