- Newest
- Most votes
- Most comments
Hello.
I think it's probably difficult to use only Lambda.
For example, I believe it's possible to address this by creating a Windows EC2 instance for Active Directory management and then creating a Lambda function that executes PowerShell scripts on that EC2 instance using Run Command.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_users_groups_create_user.html#create-user-with-windows-powershell
AWS Managed Microsoft AD allows the same type of access to AD as a self-managed AD: you can create users either over LDAP (over TLS, port tcp/636) or via AD web services (tcp/9389). You didn't mention which programming language you'd be looking to use, but in general, there are lots of LDAP libraries available for many platforms, such as Python or Java, and as long as you use TLS-encrypted LDAP connections, the regular process for creating users and setting their initial passwords should work, and so will modifying existing users or deleting them. The traditional Active Directory Users and Computers tool (ADUC) also connects to AD with LDAP over TLS.
AD web services is what Microsoft's own AD PowerShell cmdlets (such as New-ADUser) use under the hood. I haven't tried using them from Lambda, where the PowerShell engine runs on top of Amazon Linux and not Windows Server, but I suspect that while this route may sound more natural, it may end up being a great deal more difficult, largely because the Lambda function wouldn't run on Windows and the cmdlets wouldn't be running on an AD member server.
If you're comfortable programming with Java, Python, or C#, I'd suggest finding some popular LDAP library for it. Probably most people using LDAP libraries are using them against Active Directory Domain Services, and the AWS-managed variant works essentially the same way in this regard.
Thank you, will check this out!
These new AWS APIs make it much easier to do this in Lambda.
https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_Operations.html
Here is a doc on how to use those APIs from the AWS command line interface.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_users_groups_cli.html
Relevant content
- asked 2 years ago
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
You can run PowerShell scripts on EC2 from Systems Manager RunCommand using the "AWS-RunPowerShellScript" document. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-param-runcommand.html
Note however, that this approach assumes having to maintain an EC2 instance, most likely made an AD domain member, establishing SSM Agent connectivity, having to write the provisioning code in PowerShell, and having to intermediate between the Lambda<=>SSM Run command<=>Microsoft PowerShell cmdlets in terms of exception handling, passing parameters and return values (like generated usernames), and so on, as well as dealing with concurrency limitations of the interdependent components. LDAP-based connections don't involve any of these limitations nor force using a specific technology platform.
I think it is certainly possible to connect using LDAP with the code answered at the URL below. I think in most environments using AWS Managed Microsoft AD, EC2 instances are used for directory management. I thought it would be easier to utilize them effectively. https://repost.aws/ja/questions/QURpzXJp3GT4iDox2jq4DZ7w/create-users-in-directory-service-using-ldap-python
Yes, the method described in that post is a very clean example of using a common LDAP library for Python and authenticating to AD with an admin username/password, not requiring the Lambda client to be a domain member. I'd advise preferring this style of thin-stack approach, particularly for an on-going operational provisioning process for a significant number of users over time.
Thank you, will check this out!