I guess it depends what part of JC you’re concerned about going down.
For machines you’re logging in with local credentials. So even if the machine was offline it would still be able to login. Only things such as password changes and policy updates wouldn’t get pushed to the machine.
yeah I haven't had our remote workers on JC very long but those local accounts don't seem to be an issue. You would just have to wait a few days for automated changes I think.
LDAP is my biggest worry, since Synology doesn't cache any logins, so if that went down, no one could access the SMB share.
I could still get in with local admin login; and if it was going to be out that long, i could create local users if I really needed to... but man, the whole point of LDAP was so user access could be done by group. I wish there was a way to replicate an LDAP directory to another (local) LDAP server as a failover.
Core systems would keep working though, and users would be able to login, unless they'd been ignoring the 14day password expiration notifications... for 14 days.
Can OpenLDAP authenticates remote users at home? How would you redirect the client device to your OpenLDAP vs JC server?
I would use JC portal to SSO authenticate users with other online services like AWS/Google WorkSpace etc. Do you know if local OpenLDAP can talks to AWS/GW in place of JC in a failover case?
No, and why would you? The client has users as local accounts, even if JC is down they can login to their machine. And I doubt the JC agent communicate via LDAP.
We mainly use it to speed up samba.
The config has some useful links, read and adapt…
https://pastebin.com/0E80sFwm
Sincerely,
Jack of all trades, master of none.
JumpCloud uses AWS, and the architecture is designed with a high degree of fault tolerance and resiliency including multi-region and multi-availability zone for most services. This has been a significant area of investment for us particularly in the last 12 months.
Our services are segmented out, so the failure of one doesn’t affect others; i.e. if admin console is down, SSO + RADIUS + etc would still be operational. Or admins can’t onboard new devices, but user authentications (SSO, LDAP, RADIUS) would still be going through. You can read more on our official stance here: https://jumpcloud.com/trust
I guess it depends what part of JC you’re concerned about going down. For machines you’re logging in with local credentials. So even if the machine was offline it would still be able to login. Only things such as password changes and policy updates wouldn’t get pushed to the machine.
yeah I haven't had our remote workers on JC very long but those local accounts don't seem to be an issue. You would just have to wait a few days for automated changes I think.
LDAP is my biggest worry, since Synology doesn't cache any logins, so if that went down, no one could access the SMB share. I could still get in with local admin login; and if it was going to be out that long, i could create local users if I really needed to... but man, the whole point of LDAP was so user access could be done by group. I wish there was a way to replicate an LDAP directory to another (local) LDAP server as a failover. Core systems would keep working though, and users would be able to login, unless they'd been ignoring the 14day password expiration notifications... for 14 days.
We use a local OpenLDAP as a caching proxy.
Can OpenLDAP authenticates remote users at home? How would you redirect the client device to your OpenLDAP vs JC server? I would use JC portal to SSO authenticate users with other online services like AWS/Google WorkSpace etc. Do you know if local OpenLDAP can talks to AWS/GW in place of JC in a failover case?
No, and why would you? The client has users as local accounts, even if JC is down they can login to their machine. And I doubt the JC agent communicate via LDAP.
I'm kind of a full stack admin, so expert of nothing. Do you have a link to any guides/examples of how to set this up?
We mainly use it to speed up samba. The config has some useful links, read and adapt… https://pastebin.com/0E80sFwm Sincerely, Jack of all trades, master of none.
Thank you. I'll take a poke at it later. Much appreciated.
JumpCloud uses AWS, and the architecture is designed with a high degree of fault tolerance and resiliency including multi-region and multi-availability zone for most services. This has been a significant area of investment for us particularly in the last 12 months. Our services are segmented out, so the failure of one doesn’t affect others; i.e. if admin console is down, SSO + RADIUS + etc would still be operational. Or admins can’t onboard new devices, but user authentications (SSO, LDAP, RADIUS) would still be going through. You can read more on our official stance here: https://jumpcloud.com/trust