
New AWS Directory Service - jeffbarr
http://aws.amazon.com/blogs/aws/new-aws-directory-service/
======
riffraff
does this mean I can create LDAP-backed ssh login for my EC2 boxes without the
hassle of actually running OpenLDAP?

~~~
btucker
That was what I wanted to know, too. Ever since IAM launched, I've been
wanting to authenticate ssh against it. Sadly, the docs all seem to
specifically say EC2 instances running windows.

~~~
bdunbar
I'm not able to spin up an instance to test with this week .. but if my linux
hosts -inside- my network can auth to my corporate AD (and they can!) I don't
know why an AWS EC2 instance would be different.

Add the software, configure, and presto?

------
craigmccaskill
Amazon is systematically adding service upon service to their offering. I'll
be interested to see where this ends up once they're all tightly integrated
and working together.

~~~
awjr
Well, when we looked at moving stuff to the 'cloud', Amazon offers so so much.
In effect Amazon can provide a vendor lock-in through the range of services
(and their quality) it provides. That is in no way a bad thing, but just shows
how other 'cloud' providers need to keep playing catch-up.

It's also an architecture consideration for the way we develop. Yes you want
to use this Amazon feature, but if you do, moving to another provider becomes
harder (e.g. we're looking to use SQS, but know if we moved provider I'd need
to implement my own solution for that, probably mq rabbit).

To rehash a classic phrase: "Nobody ever got fired for buying Amazon."

~~~
nnx
SQS works fine when used from other hosting providers (or even from client-
side JavaScript for that matter - with the right IAM token).

~~~
ochoseis
Anyone think a remote directory service would work well if a lot of your
infrastructure is hosted elsewhere? I wonder if latency would become an issue.

Also, how hard is it to set up/care/feed a basic directory service? I've toyed
with FreeIPA which was easy
([http://www.freeipa.org/page/Main_Page](http://www.freeipa.org/page/Main_Page),
based on 389 DS). I actually did not realize Samba now includes a directory
service and might check that out.

~~~
bdunbar
> Also, how hard is it to set up/care/feed a basic directory service?

Setting one up is pretty easy. The problem comes in when you find yourself
depending on it, and then it gets out of whack, or Just Grows and you've got
OUs and CNs all over the place.

At my last employer - a mid-sized manufacturer - we had several Tier II apps.
These must be in working order or production is shut down. The shop floor
application. Core ERP. Email. Above II is I which are applications that must
exist or the company cannot operate.

There was only one Tier I application: Active Directory.

------
mijndert
This is really great news for AWS environments where compliance and user
account management are an issue.

~~~
uxp
This is precisely the struggle that I've been having to deal with lately.
Though, does anyone know if this works with OpenDirectory?

------
zackangelo
I didn't see any reference to it in the documentation, but I wonder if they'll
provide an HTTP API for authenticating against these directories (or providing
delegated auth services when connected to an on-premise AD instance).

------
topherTopher
It's looking to me like you add users either through their "Simple AD"
exporter, or you have to use "Active Directory Administration Tools"...
there's no way to add my users etc. directly into their directory?
[http://docs.aws.amazon.com/directoryservice/latest/adminguid...](http://docs.aws.amazon.com/directoryservice/latest/adminguide/directory_management.html)

------
dstaheli
Playing catch-up with Microsoft Azure's existing services. Nice to see the
competition. [http://azure.microsoft.com/en-us/services/active-
directory/](http://azure.microsoft.com/en-us/services/active-directory/)

~~~
davis
I can't tell if you are joking about the fact that Microsoft had support for
their proprietary solution, Active Directory, in their cloud before Amazon...

~~~
stephenr
AD is certainly proprietary but it's also LDAPv3 compliant.

------
gortok
This article does not mention handling directory services between short lived
EC2 instances and SQL Server. Right now the guidance is to use SQL Server
Auth; but Windows Auth would be far better to use, especially in these
circumstances.

------
thspimpolds
The question I have is can I use this as a central auth system the other way.
AD is expensive as crap, but if this is self-healing and self-backup, then its
a good idea for us. Frankly anything is better than Open directory

~~~
topherTopher
To me it looks like the directory is ONLY exposed within the VPC. So that
would mean you can't auth from servers that live in other clouds or on prem.

~~~
cthalupa
How about via VPN into the VPC?

------
PaulHoule
I'm amazed they haven't done this already.

------
toomuchtodo
What would be the rational for choosing this over say, Google Apps
authentication?

~~~
jcjames
Primarily to manage Windows accounts on Windows EC2 instances. Google Apps
authentication covers websites via OAuth and OpenID, but not local user
accounts on systems like Windows, Linux, and OS X.

------
jpeg_hero
Nice. Basically RDS but for Samba.

Box = cloud msft file sharing?

Now amazon going after the directory?

------
swehner
Somewhere there is no progress. Stagnation.

~~~
bdunbar
Explain?

