The LDAP Password Rotation Service offers a lambda function that integrates with AWS Secrets Manager and can update the user password to a new random password and update it in AWS Secrets Manager.
The AWS Lambda Function expects to receive a key/value (JSON) secret from AWS Secrets Manager, with a field with the user in which the password should be rotated and the current password. The username has to be the user principal name used to authenticate with LDAP.
You'll need to have Python (>=3.7) with pipenv, NodeJS (>=16) with npm (>=8) installed, and AWS CLI.
Optional: Make
- Make sure your default AWS credentials are configured to the environment where you want to deploy this project
- Update the config file for the environment (located in the config folder) you want to deploy
config/serverless.dev.yml
for the development environment
- Setup the project
make setup
- Deploy the project
- Run
make deploy stage=dev
to deploy with theconfig/serverless.dev.yml
configurations
- Run
- Create AWS Secrets Manager secret
aws secretsmanager create-secret \
--name MyTestSecret \
--description "My test secret created with the CLI." \
--secret-string "{\"username\":\"example@example.com\",\"password\":\"EXAMPL3-P4ssw0rd\"}"
- Create secret rotation
aws secretsmanager rotate-secret \
--secret-id MyTestSecret \
--rotation-lambda-arn arn:aws:lambda:eu-central-1:1234566789012:function:LdapPasswordRotation-dev-app \
--rotation-rules "{\"ScheduleExpression\": \"rate(10 days)\"}"
-
Check that the secret has a rotation lambda configured
aws secretsmanager describe-secret --secret-id MyTestSecret
-
Check that your secret password was rotated
aws secretsmanager get-secret-value --secret-id MyTestSecret
We have a Makefile file with targets to:
- Setup the project
make setup
- Test
make test
ormake test-log
- Deploy
make deploy --stage=dev/qa/prod
- Undeploy
make undeploy --stage=dev/qa/prod
In case you don't have Make you can still open our Makefile
and run the commands manually.
- Run
make setup
to build and setup your local environment - Run
make test
to test ormake test-log
to test and print the execution logs.
- Update the config file for the environment (located in the config folder) you want to deploy.
config/serverless.dev.yml
for the development environment
- Run
make deploy stage=dev|qa|prod
to deploy to dev, qa or prod environment.
- The password isn't updating:
- Go to AWS > Lambda > Functions > LdapPasswordRotation
- Open Monitoring > "View CloudWatch logs"
- Error Message:
check_inputs: Invalid character in
- Check if your current user or password has any of the
EXCLUDE_CHARACTERS
- Update the
EXCLUDE_CHARACTERS
rules to your needs
- Check if your current user or password has any of the
- Error Message:
setSecret: Failed to update the password
- Some AD systems limit how often you can rotate the password. For example, you might not be able to change it more than once a day.
- Error Message:
- Open Monitoring > "View CloudWatch logs"
- Go to AWS > Lambda > Functions > LdapPasswordRotation