Experiment in Google Cloud Identity with Secure LDAP
When organizations choose to migrate from an on-premises infrastructure to the cloud or to adopt a hybrid architecture, they are going to run into an issue: the authentication systems that modern internet services were built on are not natively compatible with the software that their organizations depend on. The result for many organizations is that they split up the infrastructure into groups of apps that support traditional identity systems like Active Directory and LDAP and new ones that support OAUTH; provisioning and having to manage the credentials and access permissions for multiple identities. This brings up the question: what is the definition of hybrid?
I'll echo the opinion an old colleague of mine, Kelsey Hightower, expressed during a Google Cloud Next "Ask-Me-Anything" session back in July. Us (ex-)operators and managers of infrastructure are well accustomed to hosting services from different geographic locations and maintaining entirely different systems depending on the use case. No matter where these systems were we'd unify them through networking, a collection of dark fiber links, or VPN tunnels over the open internet so that it felt like one complete and native infrastructure. The other half of making our infrastructure always feel like ours was a global identity. When I managed infrastructure for a university this identity was provided by LDAP, and while managing infrastructure for Puppet this identity was primarily our SSH key, which we distributed via Puppet.
Puppet Enterprise is infrastructure automation software born in the data center, so its console authentication system was built around the systems available there, but the value proposition of the platform equally applies to any organization in the midst of adopting the public cloud. These facts are at the core of why I find the introduction of Google Cloud Identity's Secure LDAP compelling. With it you can deploy a Puppet Enterprise installation with a cloud-native authentication backend so in the process of your migration you aren’t creating new overhead by doing away with a global user identity and having to maintain users across multiple environments.
What is Google Cloud Identity with Secure LDAP?
In Google’s blog post officially announcing the feature, they explain that Secure LDAP in Cloud Identity allows "organizations to manage access to SaaS apps and traditional LDAP-based apps/infrastructure hosted on-premises or in the cloud using a single identity and access management platform."
In the simplest technical terms though, this is an LDAP-compatible API that resides on top of G Suite/Cloud Identity.
Leveraging it in Puppet Enterprise
Once setup, Secure LDAP functions in the same way as any other external identity source in Puppet Enterprise. Native support using the PE console external directory configuration pane is not currently available so additional local setup will need to be completed through the secure tunneling application, stunnel.
Full documentation of the process can be found here on GitHub. Basically, it’s:
- Install PE
- Provision a Secure LDAP client certificate and authentication credential
- Setup stunnel on PE console host
- Configure PE external directory to talk to secure tunnel on loopback
Cody Herriges is a principal business development manager at Puppet.