TimWillemstein2 (Customer) asked a question.
Connecting to Google Cloud Platforms Secure LDAP Service
Has anyone ever had any success connection to the Google Cloud Platforms Secure LDAP service? If so what type of LDAP connector/collector template should we use? Is it openLDAP? I see for connection we should either use certificate for authentication or setup an sTunnel (https://support.google.com/cloudidentity/answer/9089736?sjid=14410429453648258490-EU), has anyone had any success with those?
I don't think these specific solutions are going to work. Our LDAP connectors do not support certificate based client authentication methods. I am not sure what exactly sTunnel is but it seems simply to be an LDAP proxy. I don't have any specific experience with sTunnel but in general there are success stories with other types of LDAP proxy servers from other vendors and our generic LDAP connectors and collectors. It's possible there is a solution there but its speculative.
Perhaps we need an answer to the broader question. How do you collect and manage Google Cloud identities?
It looks like Google has a proprietary API. It says the API supports a REST calls and JSON objects but I am not sure that all methods are exposed in this manner. I would expect that a REST API is a more likely solution than LDAPS but RSA does not formally document any interoperability with Google Cloud.
Thanks Ian.
I was afraid this was the case indeed. Our case was a bit more specific than just managing Google Cloud identities, hence our preference to use an LDAP integration instead. We tried using a standard LDAP, but GCP has some weird limitations on networking when using those hence the need for the Secure LDAP Service. Once I have more information I'll be sure to post it here for future references.
I would suspect any LDAP proxy server should work including sTunnel to make the LDAP bind.
You may also submit enhancement requests for authenticated SSL support for the Connectors and Collectors you want to use for the integration. There is no technical reason why all Connectors and Collectors cannot support client authenticated certificate SSL but it is a feature that needs to be added specifically to each Collector and Connector so it's not a small change. And there needs to be sufficient business justification to prioritize this ahead of other new features.