Federate AD/LDAP to AWS: Modern User Management

By Greg Keller Posted December 19, 2014


This is the final post in our series looking at how and why to federate your Microsoft Active Directory or LDAP user accounts to Amazon Web Services. Here are the topics we’ve covered so far:

  1. Intro: Federating AD or LDAP User Access to AWS Servers
  2. The What and Why of Managing Users on AWS Servers
  3. How to Manage Users on AWS Servers
  4. The Difference Between AWS IAM and Managing Server Users
  5. 4 Challenges of Managing AWS Cloud Server Users and 1 Solution

We have analyzed the problem, looked at existing solutions, and now will discuss the modern approach to managing users on AWS.

Smart organizations are taking one of two approaches to their centralized user management challenges on AWS servers. They either federate user access to AWS or use a cloud-based directory service. Both approaches are described below:

Explaining Federated User Access to AWS Servers Approach

If an organization has an existing Active Directory or OpenLDAP implementation, it’s ideal to leverage the existing identities in that user data store.

However, exposing that to the Internet and configuring all of the networking routes is time consuming and risky. Therefore, most companies choose to configure a third-party “bridge” that mirrors the AD or LDAP (some have tried Google Apps Directory but that doesn’t work without an intermediary service) data and provisions those users to appropriate servers.

The “bridge” is a Directory-as-a-Service® solution that constantly replicates the AD and LDAP users including their groups with a small agent that is placed on each Windows or Linux-based server. This enables the SaaS-based directory service to communicate securely with the servers. The cloud-based directory provisions and maintains accounts as appropriate. Users are added, modified, or terminated in the directory of record, either AD or LDAP, and those changes propagate through to servers through the hosted directory service.

There are significant benefits with the federated user access to AWS servers approach. First, admins save tremendous time because there is no custom code to write and maintain. Second, security is enhanced because the central directory is honored and users synced. Third, the third-party service reduces the expertise required to manage user access across network boundaries. Finally, it provides full visibility for organizations that are required to care about auditing and access security.

Explaining a Cloud-based Directory-as-a-Service Approach

There are a number of organizations that don’t have a directory. They aren’t using AD or LDAP. Many will have Google Apps Directory, but unfortunately, Google Apps Directory isn’t really a directory. For many smaller organizations or companies that were “born in the cloud,” a legacy directory won’t bridge their users to the SaaS-based resources they need to access.

Fortunately, businesses can opt to have their directory managed as a cloud-based service. This is referred to as a Directory-as-a-Service, or DaaS. A cloud directory is hosted in the cloud and talks to AWS server infrastructure, but also talks to on-premise laptops, desktops, legacy applications leveraging LDAP, and even Web-based applications. In short, Directory-as-a-Service can become the directory of record. Similar to the federated example above, a virtual directory service is empowered by a small agent that’s installed on each server. Users and access controls are then replicated from the SaaS-based service to each server.

The benefits of this approach are substantial. The central user store allows for scalable access for many users and servers (and other devices and IT applications). It also increases security by tightly controlling access and allowing for varying levels of access administered to each user. Further, DaaS fits right in to a business model that already uses AWS and other cloud-based services.

Who’s Doing DaaS?

JumpCloud® is the leading unified cloud directory solution, providing businesses with strong cloud-based options to federate their internal identities or create a new, central user store in the cloud.

JumpCloud securely connects and manages users with the IT resources that they need, and acts as the central user store, connecting users with Windows, Linux, or Mac devices. Further, in situations where there is already an existing directory, JumpCloud acts as a bridge to infrastructure such as AWS.

Ready to improve your directory solutions? Sign up now, your first 10 users are free forever.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts