Extending LDAP to AWS

Hi Kavz,

This is a great hybrid identity use case — thanks for sharing the detailed context.

Since you're exploring access administration for EC2 instances via an OIM-populated LDAP setup, here are a few tailored thoughts for each option:

1. Using on-prem LDAP directly (over Direct Connect): Yes, it can work, but be cautious — this introduces network dependency. If your Direct Connect link goes down, administrative access to your EC2 instances may break. This may be fine for dev/test, but it could pose reliability risks in production.

2. Extending LDAP to AWS: Hosting a read-replica on EC2 is one route. Another option — if your LDAP is AD-compatible — is to use AWS Managed Microsoft AD and establish trust. This reduces latency and removes the single point of failure from your on-premises.

3. Integration with AWS Identity Center: Direct integration with OIM-populated LDAP isn’t natively supported, but if your LDAP syncs to AD (which then syncs to Entra ID), you already have an indirect path into Identity Center.

Also worth exploring:

If your LDAP supports SAML 2.0 or SCIM, you could explore custom IdP integration.

AWS Identity Center works well with Entra ID, so consolidating access through it might be cleaner long-term.

4. SSM + LDAP Access: You can configure EC2 instances (especially Linux) to authenticate via LDAP using tools like sssd and PAM. Combine that with SSM Session Manager and careful role control via AWS Identity Center — and you have secure, auditable, admin access that still aligns with your enterprise directory structure.

Recommendation: If your goal is resilience + manageable latency, extending LDAP to AWS (via replica or trust with Managed AD) is likely the sweet spot — especially if your LDAP content flows through AD/Entra anyway.

Let me know if you want to deep-dive into the configuration steps for any of these paths — happy to help!

Hey Kavz — thanks for circling back, and I’m really glad the info was helpful!

Between the two options you’re looking into (extending LDAP on EC2 or integrating with Identity Center), both can work depending on how much control and resilience you’re looking for. If you do decide to spin up the LDAP replica on EC2, I’m happy to help you think through the setup details — or if you want to explore the Identity Center angle more, we can talk through how that might connect depending on what your LDAP supports.

Feel free to drop more details here if you’d like to explore next steps. Happy to help however I can!

Hey Kavz — thanks again for the update!

Since you're considering both paths — extending LDAP and integrating with Identity Center — here's a quick comparison and next-step suggestions, based on how much control and resilience you need:

Option A: LDAP Replica on EC2 Pros:

Keeps full on‑prem LDAP functionality

Can authenticate Linux sssd/PAM users directly using LDAP over TLS

Reduces latency and eliminates dependence on Direct Connect

Cons:

You’re responsible for EC2, backup, patching, and security

Still requires careful IAM and network setup via SSM

Resources:

Configure sssd.conf with LDAP ID mapping and TLS for secure authentication docs.aws.amazon.com +1 learn.microsoft.com +1 docs.aws.amazon.com +4 learn.microsoft.com +4 learn.microsoft.com +4 docs.cloudera.com +4 docs.redhat.com +4 aws.nz +4

Option B: AWS Managed Microsoft AD with Trust Pros:

Fully managed by AWS (no EC2 for AD infra)

Supports two-way trust with on‑prem AD — enabling seamless authentication learn.microsoft.com docs.aws.amazon.com +8 docs.aws.amazon.com +8 repost.aws +8

Integrates natively with AWS Identity Center and EC2 domain-join

Supports both Windows and Linux clients

Cons:

Requires AD compatibility and trust configuration

May involve schema considerations depending on OIM setup

Next-Step Suggestions: Decide your priority:

Want full LDAP control? Go EC2 + sssd/PAM

Prefer manageability and integration? Use Managed AD + AD trust