By Rajat Bhargava Posted October 2, 2014
Trick question, eh? Managing OpenLDAP is a pain in the rear, as almost any IT admin will tell you. If you’ve never installed, configured, and had to manage LDAP, we’ll walk you through what you need to do. If you have, we’ll commiserate with you on the pain. Let’s reflect, though, on why you need OpenLDAP in the first place.
Organizations know that tightly controlling who has access to your servers, applications, network, and related infrastructure is a critical practice. It helps prevent being hacked, simplifies day-to-day IT, and helps support compliance and regulatory requirements. Essentially, you want to have a master record of who in your company (and related to your company) should have access, what they should have access to, and what they can do with when granted access. The open source identity management solution, OpenLDAP, has been a great way to make that happen for companies with the talent and resources to stand it up and get it running. Organizations often use the commercial directory service Microsoft’s Active Directory if they’re Windows shops, but if they’re working with Unix systems and applications, more often than not, you’ll find an OpenLDAP directory server in the mix. In addition to having a central identity provider, companies can point their servers and applications to their OpenLDAP server to authenticate and authorize user access. All of that sounds great and beneficial, so what’s the problem with LDAP?
As seasoned IT pros know, implementing and managing an OpenLDAP directory service system is no trivial matter. Here’s a look at what they need to do to manage LDAP:
Installation and setup
LDAP can be leveraged through a number of open source or commercial solutions, the most popular being OpenLDAP. To get going, you’ll need an on-premises server (assuming that you are planning to leverage it internally) and you’ll need to install a base OS and get it hardened and ready for OpenLDAP (note that because it will be your user store, you’ll want to make sure that it is secure). Then, you’ll install OpenLDAP and configure it, setting up certificates for secure data transmission, populating configuration files, and building the LDAP database.
Your OpenLDAP server is only useful if your users, servers, and applications can all talk to it. That means that you’ll need to make sure that you get into the nitty gritty details of opening firewall ports, checking network paths, and ensuring that it is secure. If you have cloud servers at one of the popular IaaS providers such as AWS, Rackspace, Digital Ocean, or SoftLayer, you’ll need to figure out how to get everything to talk securely, likely sending you down a path to leverage a VPN (or you may decide to place your OpenLDAP directory server out at your IaaS provider – we’ll talk about that case in a future post, although most of the management details are the same).
Directory Services population
After you are all set up, you’ll want to populate the directory services with your users. Unfortunately, this isn’t point and click. It means loading user, groups, and other objects manually. Also, note that when you add users, they are granted access to everything. If you want to limit access, you’ll need to edit the access control configuration file manually. And, in case you are wondering, that’s not the easiest config to edit and get right! What if you want to create groups? Well, then it gets even more complicated. One concept that you’ll need to work through is how LDAP thinks about devices. Effectively, LDAP cares about users and segmenting their access, but once you have the user’s “group” then that access is set across all of your devices and applications. Said another way, fine-grained privileged user access control is not easy!
The issues with managing OpenLDAP on an on-going basis include keeping the directory service up-to-date, adding new access control policies, enabling connections to new servers and applications, and ensuring that the system is 100% available — any downtime means that your users can’t access their devices and applications. In addition, IT admins have to deal with lost passwords and keys. For a decent-sized organization, that can add up to a lot of extra work that admins shouldn’t and don’t want to do!
Reporting / auditing
How do you get the reports and compliance data you need out of OpenLDAP? While the LDAP schema really amounts to being a fairly simple tree-based data structure, you’re still on the hook if you want to generate data and reports. That means writing queries on your own or building/buying/contracting-out tools to safely access the data in the schema. And, if you want to make sure that the data is compliant, you’ll need to make sure that your datastore is secure and tamper resistant. Unfortunately, simple data such as who has access to what is not easily available. There also isn’t a mechanism whereby each server or application’s user login data is centrally collected, stored, and displayed. If you’re using LDAP to help support your audit and compliance efforts, you’ll be doing some heavy lifting.
In short, if you have OpenLDAP, you have your hands full with managing it. So, when we said, “Don’t manage it,” what did we mean? In the cloudy world of SaaS applications, leverage a hosted LDAP solution. A cloud-based LDAP managed by a third party can effectively eliminate a lot of the heavy lifting. You’ll, of course, need to manage your users – i.e. populate them into the system (although with a GUI) and manage what their exact access should be, but that should be far easier than all of the hard work above.
A managed virtual LDAP solution takes care of many of the key tasks above:
No installation and setup
Because it is hosted, all of this is already handled for you. You don’t need to manage hardware or software. The solution is effectively a virtual LDAP server in a box.
No hard networking
Because it is a cloud-based SaaS LDAP service, it’s accessible from any Internet connected location. That means you don’t need to worry about setting up networking paths. Also, because it’s cloud-based, security is a top priority and constantly covered.
Import your users or load them in with a GUI
You won’t be entering users in config files or working through writing scripts to get your users into your directory. A SaaS-based LDAP solution does the heavy lifting. It should be easy to import in from an existing directory or maybe even Google Apps. Or even just enter them into the UI.
Here’s the beauty of an outsourced LDAP solution. No on-going management other than keeping your users up-to-date. You don’t have to worry about availability, up-time, managing password resets, and whole lot of other mundane tasks. You drop that off at the hosted, virtual LDAP provider’s doorstep.
An outsourced, hosted LDAP solution will have a lot of the reporting that you want already built in including collection of data from endpoints where appropriate.
If that sounds a lot easier than managing it yourself, feel free to dig in further. Give us a call or drop us a line and we’d be happy to talk to you about how to relieve yourself of the burden of managing LDAP.