By Ryan Squires Posted February 1, 2020
A significant number of servers in the AWS® cloud run on Linux®. As such, DevOps engineers want to pair the open source OS with an open source authentication mechanism: LDAP. The alternative is to try and “mismatch” authentication against Microsoft® Active Directory® (AD), which presents DevOps engineers with unnecessary challenges.
Why Not AD?
AD struggles with non-Windows® systems out of the box. Generally, to perform user management on Linux servers with AD, DevOps engineers must layer additional solutions onto it. One might assume that AWS offers tooling to help mitigate this problem. But because AWS Directory Service is just hosted AD in AWS, many are reluctant to use it for their Linux server infrastructure. The largest deterrents are AD’s limitations with Linux as well as licensing costs as compared to open source tools like OpenLDAP™.
OpenLDAP for AWS and DevOps
As an open source solution, OpenLDAP is versatile and highly flexible — it can enable the LDAP authentication that DevOps teams need for their Linux servers in AWS. But LDAP isn’t just useful for server access. Many of the other tools that DevOps teams leverage authenticate via LDAP, too. Examples include the Atlassian® suite, Docker, and OpenVPN®.
Challenges of Traditional LDAP
LDAP is most often utilized via OpenLDAP servers. These servers have historically been housed on-prem or in the data center next to the servers they will authenticate. LDAP server require a significant amount of configuration and technical knowhow to get set up correctly. It’s also possible for LDAP servers to be set up and hosted in the cloud. While physical hardware configuration and maintenance chores are handled by a third party in that case, it is still a tall order to get the software functional and keep it up-to-date, not to mention the security, availability, and performance issues.
As such, many DevOps engineers are seeking out a solution from the cloud that can provide the LDAP authentication their environments require. They also know that there are other issues in the environment that LDAP alone (Read more…)