How to Experiment With Google Cloud LDAP

Want to experiment in Google Cloud Identity with secure LDAP? Start here!

Table of Contents: 

• What Is Google Cloud LDAP?
• Why Does Google Cloud Need LDAP?
• How to Leverage Google Cloud LDAP in Puppet Enterprise

What Is Google Cloud LDAP?

Google Cloud LDAP is the use of a secure LDAP to allow organizations to manage access to SaaS and traditional apps on-premises or in the cloud. In the simplest technical terms though, this is an LDAP-compatible API that resides on top of G Suite/Cloud Identity.

Why Does Google Cloud Need LDAP?

Google Cloud needs LDAP to ensure secure authentication across infrastructure. 

A History of Authentication For On-Premises, Cloud, and Hybrid

When organizations choose to migrate from an on-premises infrastructure to the cloud or to adopt a hybrid architecture, they are going to run into an issue: the authentication systems that modern internet services were built on are not natively compatible with the software that their organizations depend on. The result for many organizations is that they split up the infrastructure into groups of apps that support traditional identity systems like Active Directory and LDAP and new ones that support OAUTH; provisioning and having to manage the credentials and access permissions for multiple identities. This brings up the question: what is the definition of hybrid?

Us (ex-)operators and managers of infrastructure are well accustomed to hosting services from different geographic locations and maintaining entirely different systems depending on the use case. No matter where these systems were we'd unify them through networking, a collection of dark fiber links, or VPN tunnels over the open internet so that it felt like one complete and native infrastructure. The other half of making our infrastructure always feel like ours was a global identity. When I managed infrastructure for a university this identity was provided by LDAP, and while managing infrastructure for Puppet this identity was primarily our SSH key, which we distributed via Puppet.

Puppet Enterprise and LDAP

Puppet Enterprise is infrastructure automation software born in the data center, so its console authentication system was built around the systems available there, but the value proposition of the platform equally applies to any organization in the midst of adopting the public cloud. These facts are at the core of why I find the introduction of Google Cloud Identity's Secure LDAP compelling. With it you can deploy a Puppet Enterprise installation with a cloud-native authentication backend so in the process of your migration you aren’t creating new overhead by doing away with a global user identity and having to maintain users across multiple environments.

How to Leverage Google Cloud LDAP in Puppet Enterprise

Once setup, Secure LDAP functions in the same way as any other external identity source in Puppet Enterprise. Native support using the PE console external directory configuration pane is not currently available so additional local setup will need to be completed through the secure tunneling application, stunnel.

Here's how to use LDAP for Puppet Enterprise:

1. Install PE.
2. Provision a Secure LDAP client certificate and authentication credential.
3. Setup stunnel on PE console host.
4. Configure PE external directory to talk to secure tunnel on loopback.

Not using Puppet Enterprise? Get started with a free trial today. 

START MY TRIAL

Learn More

• How Puppet Google Cloud modules make managing GCP easier
• How to connect Puppet Enterprise to Okta using SAML

This blog was originally published on November 1, 2018 and has since been updated for accuracy and relevance.