Articles, Blog

How do I manage access to traditional LDAP-based apps and infrastructure?

October 4, 2019

Google Cloud Security Showcase, a special web series where we’ll
focus on security use cases that our customers can
solve with Google Cloud. My name is Ravi Kumar,
and I’m a product manager at Google Cloud. Today, we’ll be
walking you through one of the top questions we
get from our customers. How do I manage access
to traditional LDAP-based applications and infrastructure. As an enterprise
administrator, you have the responsibility
to manage access to enterprise applications. These applications can be modern
science-based applications or traditional applications,
like LDAP-based applications. Most enterprises use on-premise
legacy corporate directories, like Active Directory
and open LDAP to integrate those traditional
LDAP-based applications. However, setting up and
maintaining these systems are complex. And also, these systems have
high total cost of ownership. A better alternative would be
to use a modern identity system, like Cloud Identity,
which provides a simple and secure way to
integrate LDAP applications. Secure LDAP is an
LDAP as a service, which is part of Cloud Identity
Premium and G Suite Enterprise. It makes your Google
Cloud directory available as an LDAP
directory to all your LDAP-based applications
and IT infrastructure, for example, VBM servers,
network at that storage servers, and et cetera. Now, let’s eat in action. Here’s the Cloud Identity
or G Suite admin console, clicking on Applications
and click on LDAP. So this is the list
of LDAP applications I’ve already onboarded
into my domain. Now, onboarding a new LDAP
application called a PaperCut. It’s an enterprise print
management solution. Clicking on Continue,
in this section, you will be able to
decide how much you want to expose your directory
to this particular LDAP client. For example, if your
LDAP client is used only by a portion of your
company, then you select selected
organizational units. And then you can select a subset
of your organization here. Or if you want your
entire organization to be authenticated to
this LDAP application, just click on entire domain. In the same manner,
you can decide how much to expose for user
lookups, entire domain, or a portion of your directory. And then you can also decide
whether to expose groups from your directory or not. Oh, I’m clicking
on Add LDAP Client. Within a few seconds,
your applications will be on boarded. And you will also see
a digital certificate that you can download. Now, some applications need the
directories admin credentials. So not all applications
need it, but some do. So if you have one of
those applications, you go to the LDAP
Application Details page. And I’m clicking on
Authentication Section and scroll down. And you can create a
new admin credential that you can use in those
LDAP-based applications. And again, this
admin credentials will only be useful for
that particular application. All right. At any point of time, you can
delete this admin credential. Or you can also delete
the certificates that you have
generated in the past. And finally, let’s switch
on this application so that secure LDAP will be
able to start accepting requests from this LDAP client. All right, we’re done with
part 1 of the configuration. Now, let’s go to part 2. That is you need to go to the
LDAP Application Configuration Screen. And you need to point to
Google as an LDAP server. All right, so this is the
Admin Console for PaperCut. And this is a place
where you can perform directory configuration. So here, I’ve selected
Google Cloud Directory. And if your LDAP configuration
does not show Google Cloud Directory, that’s fine. You can select either open
LDAP or Active Directory. And here, I’ve typed
in my domain name. And then I’ve also uploaded to
certificate to save some time. And then finally, let’s
test this configuration. When I click on
Synchronize, now, PaperCut is
authenticating itself using the digital certificate
that we have uploaded. And once it is
authenticated, it was able to pull a bunch
of users and groups. From an end user
perspective, end user walks up to any
multifunction printer. And they type in
Google credentials to release the print jobs. So when they type in
the Google credentials, PaperCut takes that credentials
and authenticate with Secure LDAP before letting the user
to release the print jobs. From a configuration
perspective, each LDAP application
is slightly different. So we have a Help article
that shows the configuration information for many
popular applications. If you don’t see your
application here, don’t worry. We have a generic
configuration information so that you can configure
any LDAP-based application. Now, finally, let’s
look at the audit logs. I’m going back to the
homepage here and clicking on Reporting Section. Secure LDAP audit logs
are stored in two places. The first location is
the Admin Audit Log. This is the place
where you will be able to see all the things
that your administrator have done in the Admin Console. For example, onboarding your
LDAP-based applications, offboarding, switching
on the service, downloading certificate,
generating these credentials, and et cetera. The second LDAP audit log
that you should be looking at is the LDAP Operations Audit. So this is the place where we
record all the communication that’s happening between
your LDAP clients and Google. For example, here, the PaperCut
has authenticated the users. It has done some user
lookups and group lookups. So you’ll be able to see all
that information in LDAP Audit Log. And that’s it. That concludes the
demo for secure LDAP. Thank you for tuning in. Please visit for more content from
Google Cloud experts. [MUSIC PLAYING]

You Might Also Like

No Comments

Leave a Reply