In Best Practices, Blog, User Management

Using LDAP for your internal directory is a time-honored tradition that IT organizations have embraced for decades. LDAP is the standard protocol for directory authentication and is used heavily in the UNIX/Linux world and with more technical or infrastructure type applications. The interesting opportunity for IT admins is to potentially leverage LDAP-as-a-Service. This offering is effectively a cloud-based directory that can authenticate LDAP users and their devices or applications. The beauty of a cloud-based offering is that busy admins can offload the heavy lifting of managing LDAP. Further, cloud-based infrastructure services (such as a SaaS-based LDAP) add features and benefits such as scalability and availability.

Here are the top five reasons IT admins should consider moving their on-premise LDAP instance to the cloud:

1. To Avoid The Management Headache

If you are an IT admin, you already know that setting up and managing LDAP can be painful. Most of the time you are in charge of managing the system at the command line to set up the right capabilities that you need. LDAP GUIs only solve part of your problems; others, like understanding the concepts of and setting up the underlying tree-schema correctly, having it networked correctly so all of your systems can see it, and yet keeping it secure are all painful tasks for IT admins. And, they all require significant skills in networking, Unix server administration and on-going care and maintenance of a critical piece of infrastructure.

When you think about LDAP-as-a-Service, many if not all of those issues are completely taken care of for you. For example, you don’t have to worry about installation and setup, or the networking piece, and the complexity of the protocol and underlying schema is all removed from the equation. Because you are leveraging a cloud-based directory, it is available securely to all of your devices and applications. The entire overhead of managing and ensuring the availability of LDAP is taken care of for you.

2. To Simplify Access to Cloud Servers and Infrastructure Apps

Attaching your cloud servers and any internal applications you manage in the cloud to an internally hosted LDAP solution can be challenging. As an example of the complexity:

  • First, you need to make sure that both sides can talk to each other. That can mean opening a firewall hole on-prem and then configuring your security groups at a provider such as AWS so that the cloud servers can authenticate to your on-prem LDAP.
  • Second, you need to make sure the connection is secure. This involves adding a VPN tunnel between the two sites (which you may or may not already have), configuring certificates, verifying proper handshaking, and then making sure that both sides are capable of recovering from any connection issues.
  • Third, you have to make sure that you have some control over who has access to what. Not all of your employees should have access to all parts of your network, but adding more finely tuned permissions may create more work on your end.

With an LDAP-as-a-Service solution like JumpCloud, the capability to manage users on cloud servers or cloud infrastructure apps is standard fare.

Cloud servers can authenticate against your cloud-based LDAP instance or you can drop an agent onto each machine to create specific accounts for each person. Further, you can leverage groups functionality to easily give groups of people access to groups of servers.

What once were complicated cloud infrastructure configurations are now easily solved.

3. Automatic High Availability

As you get going with LDAP, it sounds easy from the start. Setup a server and point your devices and applications to it. And, then that funny thing happens. Your server goes down and nothing and nobody can auth. Ouch. Your whole organization depends on getting into their devices and applications. Directories need to have 100% uptime. So you have to embark on setting up a high-availability environment. That’s more work, more cost, and more things to manage. What started as a simple, straightforward project turns into something that’s much more complicated when you start to realize that authentication needs to be available 100% of the time. SaaS-based directories already have to deal with this problem and are inherently designed to be highly available.

4. End User Self-Service

We’ve all been there. Your end user can’t remember their password, or they are connecting to a new system and they don’t have an account on it. You are on the hook to resolve the problem – right now! So you interrupt whatever you are working on to be helpful… yet this happens on a regular basis. Provisioning and managing user access is a painful process. What if you could offload the pain of setting a user up and if and when they have a problem, they can go to a self-service portal where they can do what they need to do. The portal could help them set up a strong password or upload their public key. If they forgot their password, they could reset it without you involved. How much aggravation and hassle do you avoid? And your employees?

5. Easier Compliance and Auditing

LDAP is an authentication platform, but it isn’t an auditing and compliance platform. While LDAP can log all authentication and authorization requests, it can’t tell when users are or are not logged into a particular machine, just the last time they performed an authentication. For those organizations that are subject to regulations such as PCI, the user directory is an incredibly critical part of the process. You need to know who has access to what and then track that access. Unfortunately, not all of that information is available in a standard LDAP implementation. With JumpCloud, however, that information is critical and provided as a part of our service. While auditing and compliance requirements are a broad set of tasks, and user management is only one aspect of that (e.g. PCI Requirement 8), it is a critical and core part of building a compliant environment.

While there are likely more reasons to consider using LDAP-as-a-Service, those are some of the key reasons that we have heard when talking with our customers. As you think about how you can be more efficient with your time and resources, moving your directory to the cloud may be one part of that plan. Let us know if we can help and we’d love to hear your thoughts on why LDAP-as-a-Service is a powerful concept for you.

Recent Posts