LDAP has been a mainstay in many organizations for decades. As a core platform for user management, authentication, and authorization, LDAP systems are often the backbone for more technical infrastructure such as data centers, Linux-based applications, and more. Over time, as different types of IT resources have proliferated using their own preferred authentication protocols, not all organizations want an LDAP server as their core authentication platform; however, they do still want the ability to leverage it. Is there an alternative to LDAP that IT and Sysadmins can utilize?
Before we answer that question, lets first understand why LDAP is still an important protocol to support today.
As organizations grow and hit even just a handful of users, they end up looking hard at a system that will help them organize and keep track of their user accounts and what those users can access. User access control (also known as identity and access management) is a core system for most organizations and critically important as an infrastructure component, but it isn’t a place where organizations want to devote a lot of their time.
Most companies realize that they need to be innovating on their product or service and not building out their internal user management infrastructure. But then they start to experience the pain of dealing with their user management controls, which can include:
- Manually managing SSH accounts on servers and Windows admin accounts
- Not having visibility into who has accounts on what systems
- Not having visibility into when they are logging in and what they are doing
In short, they are creating accounts for end users (generally with an identity provider like Microsoft Active Directory), but have no control around the process of access to servers, technical applications, and security.
When organizations hit this point, they often begin to look at LDAP, including some of the open source solutions in that space like OpenLDAP, as a potential solution for their directory service or as an adjunct to their core IdP. Because they are generally manually managing accounts, organizations at this stage may have shared root passwords, scripts to create and manage users, or leverage Chef or Puppet as a user management system – especially for their server infrastructure. All of these existing approaches end up being tedious and time consuming. As a result, an identity management solution such as LDAP becomes an interesting alternative.
Challenges of Running LDAP
As existing LDAP admins know, the process to get LDAP up and running within an organization is difficult. As LDAP is effectively a database, it is time consuming to set up the system and get it operational. Add to that the cloud, security, automation, and more, and you have dramatically increased the complexity. Connecting all of your cloud servers with your LDAP instance requires the right ports opened, network routing properly configured, and permissions set so that all systems can talk to each other.
Another consideration when setting up LDAP becomes high availability. As LDAP will be the data store that your servers (and perhaps other devices and applications) will be authenticating against, an LDAP server that is down means that nobody is accessing their systems or technical applications.
Further, provisioning and deprovisioning users becomes a largely manual process. The admin will go into LDAP and create the user’s account and give them the right permissions. The admin will then take the temporary password that was created and email it to the user and then have them login to the device or application and change their password. If the organization happens to use keys, then the admin will need to ask the user for their public key and then insert that into LDAP at the time of provisioning.
If you are able to get LDAP up and running quickly and you don’t have a lot of changes to your infrastructure – i.e. new users or changes in servers – then the maintenance ends up being reasonably contained. As soon as you begin to grow on any dimension such as users, servers, devices, applications, or multiple cloud providers, managing LDAP becomes a much more significant chore. And, as a busy DevOps or IT professional, is that where you want to be spending your time?
JumpCloud is a Simple, Easy-to-Use Alternative to Your Own LDAP Infra
No longer do you need to take the manual steps of setting up a server, deploying the LDAP software, configuring it, testing it, and then running it on an on-going basis. JumpCloud Directory Platform provides you with Windows, Mac, and Linux user management capabilities as a cloud-based directory service. Simply register for an account, download the lightweight agent on all of your servers or desktops (use Chef or Puppet for quick, automated installation if you like!), and pop in a new user from the web-based interface.
Now, that user can quickly and easily be assigned to groups of servers, applications, networks, and more. Simple. Fast. Painless. End users can even upload their public SSH keys and have those automatically distributed to only the servers they are entitled to access.
The end result: no LDAP servers to manage, code to hack, or passwords or keys to track down. JumpCloud takes care of the heavy lifting for you with a hosted LDAP service. Managed for you, and delivered as a cloud-based service.
And, to round out the user management process, JumpCloud tracks who is logging into your systems, applications, file servers, networks, and more, as well as whether they are the right people, how they go there, when they were there, etc. LDAP doesn’t easily give you that insight which in this day and age with phishing attacks and stolen credentials is a critical task for DevOps and IT admins. Creating a user and putting it into a database is only one small part of managing users securely and these steps are critical. JumpCloud simplifies and automates these tasks so you don’t need to review logs, filter them for key activity, and then follow-up on critical alerts.
Hosted LDAP Service & More
With the advent of the cloud, SaaS-based solutions, and DevOps practices, there’s no need to utilize a solution that was created in the 1990s. Leverage the latest approaches to managing users securely with a cloud directory platform. Register for a JumpCloud account today or ask for a JumpCloud demo and save yourself from the manual effort of LDAP with a virtual LDAP service. Your first 10 users and 10 systems are free and we give you 10 days of Premium 24×7 in-app chat support to get you going.