AWS SSO, Okta Universal Directory, and OpenLDAP by Example

  • AWS bootstrap, e.g., example-aws@larkintuckerllc.com
  • Okta admin, e.g., john@larkintuckerllc.com (wanted to use example-okta@larkintuckerllc.com but already used john@larkintuckerllc.com)
  • AWS log archive: e.g., example-aws-log-archive@larkintuckerllc.com
  • AWS audit, .e.g., example-aws-audit@larkintuckerllc.com
  • Developer, e.g., example-developer@larkintuckerllc.com

OpenLDAP

$ sudo -i
# apt update
# apt install slapd ldap-utils
# dpkg-reconfigure slapd
  • Base DNS name; in my case larkintuckerllc.com
  • Organization name: in my case Larkin & Tucker, LLC
  • (LDAP) Administrator password
$ ldapadd \
-x \
-D "cn=admin,dc=larkintuckerllc,dc=com" \
-w "ADMINISTRATOR_PASSWORD" \
-f FILE
$ ldappasswd \
-x \
-D "cn=admin,dc=larkintuckerllc,dc=com" \
-w "ADMINISTRATOR_PASSWORD" \
-S "uid=example-aws,ou=people,dc=larkintuckerllc,dc=com"

Okta Universal Directory

#  wget https://larkintuckerllc-admin.okta.com/static/ldap-agent/OktaLDAPAgent-05.10.00_amd64.deb
# dpkg -i OktaLDAPAgent-05.10.00_amd64.deb
# /opt/Okta/OktaLDAPAgent/scripts/configure_agent.sh
  • Okta Base URL , in my case https://larkintuckerllc.okta.com
  • LDAP server hostname: localhost
  • LDAP admin DN: cn=admin,dc=larkintuckerllc,dc=com
  • LDAP admin password: The LDAP administrator password
  • Base DN, in my case, dc=larkintuckerllc,dc=com
  • Use SSL: n
  • LDAP server port: 389
  • Enable proxy: n
  • LDAP Version: OpenLDAP (sets many default values for us)
  • User Search Base: in my case, ou=people,dc=larkintuckerllc,dc=com
  • Group Search Base: in my case, ou=groups,dc=larkintuckerllc,dc=com
  • Okta username format: User Id (UID)@Domain
  • Example username: in my case, example-aws@larkintuckerllc.com

Create AWS Account

Setup AWS SSO

  • Log archive email: e.g., example-aws-log-archive@larkintuckerllc.com
  • Audit email, .e.g., example-aws-audit@larkintuckerllc.com

Single Sign-On Between Okta Universal Directory and AWS

Creating a Developer and Developers Group

$ ldapadd \
-x \
-D "cn=admin,dc=larkintuckerllc,dc=com" \
-w "ADMINISTRATOR_PASSWORD" \
-f FILE
$ ldappasswd \
-x \
-D "cn=admin,dc=larkintuckerllc,dc=com" \
-w "ADMINISTRATOR_PASSWORD" \
-S "uid=example-developer,ou=people,dc=larkintuckerllc,dc=com"

Revisiting the AWSAccountFactory (and Others) Group

$ ldapmodify -x -D "cn=admin,dc=larkintuckerllc,dc=com" -w "ADMINISTRATOR_PASSWORD" -f modify.ldif

Wrap Up

--

--

--

Broad infrastructure, development, and soft-skill background

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Announcing Okay

A Straightforward Approach to Understanding DevOps Pipelines

Create Unique Fields in Zoho CRM | AVOID DUPLICATE RECORDS

Google Photos Just Made the Case for Breaking Up Big Tech

Installing Ruby on Rails 6.1 on Ubuntu

How to Fail as an Agile Coach in Scrum

What is a PLC System?

Introducing RabbitMQ: Your Reliable Message Broker!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Tucker

John Tucker

Broad infrastructure, development, and soft-skill background

More from Medium

Build a “Smarter” DevOps Roadmap - The SMART Maturity Assessment Method

Injecting custom faults with AWS Fault Injection Simulator

Linkerd on Amazon EKS — AWS Roadmap

All About AWS Compute Services