By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Certificate to use for LDAPS in Python Lambda

0

I am following the below 2 articles to setup Server Side LDAPS in Directory Service and then trying to use it in my Python Lambda to create users. However, I don't know which certificate to use and how to refer it in Lambda. Can anyone please help? https://repost.aws/questions/QURpzXJp3GT4iDox2jq4DZ7w/create-users-in-directory-service-using-ldap-python https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAWS Directory Service
Language
English
Venkatesh
asked 17 days ago143 views
1 Answer
0

Hi

When connecting to LDAPS (Lightweight Directory Access Protocol with Secure Sockets Layer) in your Python Lambda function to manage AWS Directory Service users, you'll need a valid certificate to establish a secure connection.

Two Main Certificate Scenarios:

Publicly Trusted Certificate:

If your Directory Service uses a certificate issued by a well-known Certificate Authority (CA) like DigiCert or Let's Encrypt, things are straightforward. The ldap module in your Lambda code will automatically handle certificate validation during the connection process. You don't need to provide any specific certificate information in your code.

Self-Signed or Private CA Certificate:

If your Directory Service uses a self-signed certificate (created by your organization) or one issued by a private CA that's not publicly trusted, you'll need to provide the certificate data to your Lambda function:

  1. Package the Certificate:

Include the certificate file (PEM format) in your Lambda deployment package. You can either store it directly within your code directory or in a separate directory (e.g., certificates). In your Lambda code, read the certificate data using techniques like with open('path/to/certificate.pem', 'rb') as f: cert_data = f.read().

  1. Use AWS Secrets Manager (Recommended): Store the certificate data securely in AWS Secrets Manager, a service designed to safeguard sensitive information like passwords and certificates. Retrieve the certificate data from Secrets Manager using the AWS SDK for Python within your Lambda function.

https://aws.amazon.com/blogs/compute/securely-retrieving-secrets-with-aws-lambda/

profile picture
EXPERT
GK
answered 17 days ago
  • Venkatesh
    16 days ago

    Thanks a lot for the detailed explanation @GK. However, I need more info.

    I have the 2nd scenario. In this case, I got 2 EC2 instances, one for Enterprise CA and the other for Offline Root CA. I am not sure which certificate to use & how many (both Root & Intermediate and/wildcard) and from which server.

    Also, I need the steps to get the .pem from which certificate location (Certificate Manager / Certificate Authority / PKI View), how and from which server? Can you please explain this?

    Also, since it is not a Publicly Trusted Certificate (as per the Amazon documentation link, the steps lead to a Private CA only. So, is it not good to be used for Production use cases, the private one, as suggested by AWS?), will it have to be issued / requested every time and a new certificate gets issued in that case? If so, how can I package them dynamically to use in my Lambda.

    Are there alternatives like reading the certificate dynamically in the Lambda? If so, which certificate to use from which server and path.

    I am really sorry for asking these silly questions as I don't have much knowledge about certificates and couldn't find much information on these. Please explain in detail.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content