By Rajat Bhargava Posted March 20, 2014
We talk to a lot of folks about their user management problems. Many of those folks are managing Windows Administrator or Linux SSH accounts using LDAP. As most DevOps and IT pros know, managing privileged accounts with a user database / directory service like LDAP is a bit painful. In fact, some people downright want to throw it out the window! We can’t blame them completely. While LDAP (and it’s open source solutions like OpenLDAP and IPA) was created in 1995 and has been an awesome platform for a lot of years, new technologies have emerged that have created challenges in relying on LDAP.
A key part of the problem that we hear often from IT admins is that LDAP is a bit challenging to work with when dealing with cloud servers. The cloud introduces a new networking paradigm where servers aren’t necessarily hosted on the same network as their user management solution. That creates some tricky networking / communication challenges (and the offshoot security issues). Further, multi-platform support with Windows and Linux isn’t the easiest scenario to manage with LDAP. While LDAP as an identity provider was essentially focused on Unix / Linux machines, getting LDAP to talk with Windows is a lot more complicated. Often, admins will need to leverage SAMBA or a tool like pGina to make LDAP work across operating system platforms.
As user identity and security concerns have come to the forefront, that has exposed a major weakness in the process of using LDAP-based approaches to server access control. Unfortunately what these solutions don’t do it provide you with is an end-to-end user management control process where adding, deleting, changing user accounts, passwords, and keys is done securely. Instead, you have a patchwork of complex network set ups that are fragile and prone to vulnerabilities to try to provide a centralized directory in a highly distributed world. A centralized user management system is elusive, but required when thinking about security.
3. The Cost is Time
The admin, when not worrying about security, network configurations, or tools, unfortunately, is in the middle of all of this handling temporary passwords and public keys. In a compliance situation, that won’t work. Finally, and perhaps the most significant challenge, is the amount of time and effort it takes to setup, configure, and maintain an LDAP-based user directory service. There are tools to manage an LDAP implementation, but these are generally focused on providing administrator controls, and not so much on automating parts of the end user experience: that means the administrator has to act on behalf of users for changes.
4. Centralized User Management: Evolved
As with the evolution of the technology marketplace, what starts out as manual, code-based solutions over time become much more polished products available to companies. Such is the case in this market too. DevOps and IT admins managing LDAP now have next generation centralized user management / directory services solutions available to them that solve the limitations and downsides of the previous solutions. JumpCloud’s Directory-as-a-Service® has intensely focused on this space and has introduced a SaaS-based directory service solution to manage user access control to both Windows and Linux servers in the cloud and on-premises. Let me say that differently – a Web-based Identity-as-a-Service solution that can work for you regardless of where your servers are located or what type of servers you have! Now, that’s shining up what LDAP started pretty nicely.
There are a few key reasons for folks that are using LDAP to switch over to a SaaS-based, virtual directory service for centralized user management solution like JumpCloud:
- No installation, configuration, and management of LDAP servers and their redundant backups (you have those right?)
- Cross platform – no SAMBA necessary to manage Windows servers. Manage both Windows and Linux from one console.
- Cross-provider support – wherever your servers are located – as long as they have an Internet connection – JumpCloud can manage them. And, yes, all from one console regardless of location.
- Increased security – admins don’t need to be a part of the process to set up passwords and keys – a self-service portal from JumpCloud lets the users do this themselves. Your user lost their password? No problem, they just go to the portal and resolve the issue themselves.
5. The Other Half of Management: Security
Analyzing this issue also raises another part of the challenge with LDAP and LDAP-based solutions. They only focus on one part of the user management problem – managing administrator accounts. Another key part of the problem is ensuring that only those people that are logging into your systems are those that you granted access. At JumpCloud, we’ve taken great pains to have a complete LDAP-as-a-Service solution that ensures that the right people have access to your systems and they are logged when accessing those systems. Don’t miss this step in your user management process!
Running LDAP is a great step forward over manually managing privileged user accounts. With new technology like hosted LDAP, though, you can do better, save yourself more time, and save money. Take a look at how JumpCloud’s cloud-based directory service can change your relationship with LDAP! Check out a free white paper on cloud server user management, or email us for a demo. If you are ready to give JumpCloud a try – it only takes a few minutes – sign-up now.