Access Management of GCP instances by configuring Google Cloud Identity LDAP for user login

By January 14, 2020 January 17th, 2020 Blogs

Written by Madan Mohan K, Associate Cloud Architect

“One Man’s TRASH can be another Man’s IDENTITY”-Identity Access Management

Maintaining two identity management systems for SaaS apps and traditional apps/infrastructure which results in intricacy, fragmented security, and additional cost.

To overcome this Google launched secure LDAP that lets you manage access to SaaS apps and traditional LDAP based apps/infrastructure using a single cloud-based identity and access management (IAM) solution.

Cloud Identity:

A unified identity, access, app, and endpoint management (IAM/EMM) platform that helps IT and security teams maximize end-user efficiency, protect company data, and transition to a digital workspace.

LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

Platform Used:

  • G-Suite Admin with cloud Identity Premium 
  • Google Cloud

G-Suite Admin:

Create LDAP client from the Apps in the G-Suite Admin console

G-Suite Admin Console

In the LDAP apps page, click on “ADD CLIENT” button and Key in the required details

LDAP client creation

Under Access Permissions, you will have 3 settings:

  • Verify user credentials,
  • Read user information &
  • Read group information.

In this illustration, we chose to go with the entire domain option. If you wish to have restricted access it can be done by limiting the user access to OU.

In the “Read group information” section, change the option to On and click the “ADD LDAP CLIENT” button to create the client.

Once after the configuration When prompted with a Google SSL certificate Click on “Download certificate” and then “CONTINUE TO CLIENT DETAILS”

The service status should be in ON state. So, in the Status page, select “ON for everyone” and click on “SAVE”

Well, that is all at the G-Suite Admin console.

Google Cloud:

  • Create an instance in the GCP. In this example, we chose to use Ubuntu 16.
  • Update the Instance using sudo apt update -y
  • Install the SSSD package using sudo apt install -y sssd sssd-tools
  • Once the installation is done create a new file in /etc/sssd/ and name it as sssd.conf. You can do it using vi /etc/sssd/sssd.conf or the preferred editor.

The sssd.conf file should include the following and look similar like the image below

Note: Remember to replace the domain with yours. By default, Google Linux instances disable password authentication so change it to Yes.

Configuration in Google Instance:

  • Upload the certificate which was downloaded earlier in the G-Suite Download certificate Page.
  • Change the permission of sssd.conf file using sudo chown root:root /etc/sssd/sssd.conf & sudo chmod 600 /etc/sssd/sssd.conf.
  • Restart the SSSD service using sudo service sssd restart

To verify that SSSD is running and connecting to the LDAP server you can run the following command with any of the users in your G Suite account:

  • Type getent passwd username@powerup.university in the instance created in google cloud and the output should look something like this:

Instance Access Scenario:

Now, when you try to ssh from the open in the browser window you will receive the following error. Well now without the G-Suite user we will not be able to log in to the instance.

Granular Level Access to the G-Suite User: When you need to restrict the user access only to the instance. We need to set the custom metadata as enable-oslogin=TRUE

The following roles must be assigned to the G-Suite user to access the instance using a third-party tool(e.g putty).

  • Computer OS Admin Login
  • Compute OS Login
  • Service Account User

Now open a third-party tool and use the G-Suite user and password to login to the machine.

Inference:

When all the identities and apps are managed in a single window the complexity is reduced and security is enhanced which also leads to an increase in the adoption of cloud technology across your business

Update:

In the forthcoming days, we shall have G-Suite users access the Windows instances using the G-Suite credentials.

Leave a Reply