In Best Practices, Blog, LDAP

Controlling user access to servers hosted in the cloud is a pain. This is especially true if you have a lot of users or servers, and if you have different functional types for those servers. Do you go in and directly edit users on all of those machines? Ouch! That’s an admin’s nightmare. Or, what about managing users on technical applications such as MySQL, OpenVPN, Jira, or other on-prem legacy applications?

Shopping in the LDAP User Store

Historically, one alternative for folks in this predicament has been an LDAP user store. They will spin-up a new instance, setup an open source version of LDAP (OpenLDAP, IPA, etc.) on their box, and begin the less-than-ideal process of configuring and managing yet another directory store. If they are industrious enough, they will figure out how to connect it to their organization’s Microsoft Active Directory user store. Regardless, they are still manually managing a database.

LDAP: No Bargain for IT Admins

The challenge for most DevOps and IT admins is that they aren’t looking to be LDAP experts. They don’t even want to take on the task of managing yet another directory service. So, what are IT admins looking for? They want an efficient way to grant users the right access to the right servers and applications. LDAP doesn’t make that easy, simple, or efficient. IT pros need to manually provision the users and control their access. Many organizations short circuit the process and have a shared root password or key. That is not a great security model. If the admin is more security conscious and does grant individual user accounts, what happens then? The admin needs to manually interact with each user by either giving them a standard password or asking them for their public keys. There is no automated system for end users to setup their credentials to servers. If there isn’t an easy way to connect to your central identity provider, then DevOps and IT admins are responsible for keeping everything in sync at all times. This is yet another manual task.

Directory-as-a-Service is a Multi-Use Platform

Our Directory-as-a-Service® platform is a SaaS-based alternative to LDAP. JumpCloud® automates the management of user identities and connects them to the IT resources that they need, including systems, cloud and on-prem applications, and networks. A key component of JumpCloud is its extensive centralized user management capabilities. JumpCloud enables DevOps and IT admins to simply provision a user in the system and add them to a group (or what we call a “tag”) and they are done. The admin doesn’t need to deal with keys or passwords; the end user is notified directly by JumpCloud to configure their credentials. The tags allow the admin to place the user into the right group and provide the correct access. JumpCloud also enables more granular access with sudo access, requiring SSH keys, or even requiring multi-factor authentication. JumpCloud gives you virtual LDAP-like functionality without the work. No database to manage, no additional server, and no end user interaction required. JumpCloud does all of that and more securely than LDAP.

Try LDAP Cloud Replacement

Give JumpCloud’s Identity-as-a-Service platform a try today if you are already using an LDAP server, thinking about using an LDAP server in the cloud, or thinking about using an LDAP server anywhere else. Hosted cloud-based LDAP could save you significant time and money while increasing your security.

 

Recent Posts