Stop wrestling with X.500 syntax, certificate chains, and persistent connections. Universal Directory Sync converts Active Directory, Entra ID, and Google Directory into structured JSON—piped directly into Amazon S3, SQS, or Webhooks. Zero code required.
ldapsearch -H ldaps://dc.corp.local:636 \ -D "CN=svc_sync,OU=Service,DC=corp,DC=local" \ -w $LDAP_BIND_PASS \ -b "OU=Employees,DC=corp,DC=local" \ "(objectClass=user)" \ sAMAccountName mail department # Error: SSL: CERTIFICATE_VERIFY_FAILED # Retry with -ZZ flag... failed again. # Lambda cold start killed the connection. # Who rotates that bind password again?
{
"users": [
{
"id": "jsmith",
"email": "[email protected]",
"department": "Engineering",
"groups": ["vpn-access","github-org"],
"active": true,
"synced_at": "2026-03-26T08:00:00Z"
}
],
"meta": {
"total": 4821,
"source": "corp.local",
"sink": "s3://identity-data/users.json"
}
}
LDAP was designed for a different era—before Lambda, before serverless, before stateless everything. Developers spend more time fighting the protocol than building their product.
Works on 389, breaks on 636. Your AD certificate authority isn't trusted by anything. Hours of debugging, every time, on every new machine.
Serverless is stateless by design. LDAP is stateful by design. Cold starts kill TCP sessions. This architecture is fundamentally broken.
Poorly designed integrations log LDAP bind passwords on local workstations. One breach away from a major incident—and most developers don't know it's happening.
Auth0's B2B Essentials caps you at 3 enterprise connections for $1,725/month. You don't need a full IAM suite. You need a reliable data feed.
exports.handler = async (event) => {
const client = ldap.createClient({
url: 'ldaps://dc.corp.local:636'
});
// ❌ Does this connection persist?
// ❌ Cold start kills the TCP session?
// ❌ 5s Lambda timeout exceeded?
// ❌ Who rotates the bind password?
// This approach does not scale.
};
exports.handler = async (event) => {
const data = await s3.getObject({
Bucket: 'your-identity-bucket',
Key: 'users/latest.json'
}).promise();
const users = JSON.parse(data.Body);
// ✓ Stateless. Instant. No LDAP needed.
// ✓ Data refreshed on your schedule.
// ✓ Zero credential exposure.
};
Universal Directory Sync handles every layer of LDAP complexity so you never have to. Configure once, consume forever.
Point Universal Directory Sync at your LDAP server, Entra ID (Azure AD), or Google Cloud Directory. Upload your Root CA certificate directly in the UI—no backend access required. We handle the LDAPS handshake, paged results (RFC 2696), and referral chasing automatically.
Supports: Active Directory · Entra ID · OpenLDAP · Google DirectoryBefore a single byte hits your infrastructure, use Simulation Mode to see the exact JSON output your sync will produce. Verify attribute mappings, filter logic, and record counts. A safety switch halts any sync that would affect more than 10% of your records—protecting against accidental mass-deletion.
Dry-run preview · Safety threshold · No data committed until you confirmRoute identity data where your stack needs it: Amazon S3 for durable snapshots, Amazon SQS for reliable event-driven provisioning, or Webhooks for real-time pushes to tools like Retool or Appsmith. Multiple sinks from a single connection are supported.
S3 · SQS · Webhooks · EventBridge (coming soon)Monthly for development and POCs, daily for production SMBs, or on-demand real-time via SQS for automated provisioning workflows. Upgrade your frequency at any time without reconnecting.
Monthly · Daily · On-Demand (SQS/SNS event-driven)Your Lambda functions, HR dashboards, provisioning scripts, and AI/RAG pipelines all read clean, versioned JSON from S3. No LDAP SDK. No persistent connections. No credential management in application code. Just structured data where you need it.
Lambda · ECS · Retool · Appsmith · Any REST consumerUniversal Directory Sync writes to the AWS services your stack already uses. No new SDKs, no new services to manage.
Durable, versioned JSON snapshots of your entire directory. Use S3 Event Notifications to trigger Lambda functions, feed search indexes, or build compliance audit trails.
Decoupled, reliable change events for every user add, update, or deprovision. If a downstream API is unavailable, messages queue and retry—nothing is ever lost.
Real-time HTTP POST to any endpoint whenever a specified group or user changes. Perfect for Retool, Appsmith, n8n, or custom REST APIs outside of AWS.
Universal Directory Sync operates within your existing AWS account. Data flows from your directory, through our SOC2-certified processing layer, and lands directly in the S3 bucket or SQS queue you own. Your data never passes through a third-party data warehouse. Supports AWS PrivateLink for zero-public-internet LDAP traffic on Enterprise plans.
A flat per-connection fee that scales with your infrastructure—not your user count. Cancel anytime. Upgrade instantly.
IAM suites capture login events. Universal Directory Sync gives you the data. That's a fundamentally different product for a fundamentally different need.
| Product | Model | JSON / S3 Output | Zero-Code | Entry Price | Best For |
|---|---|---|---|---|---|
| Universal Directory Sync | Per-Connection SaaS | Native S3 / SQS | Yes | $0 Free Tier | Identity data pipeline for devs |
| Auth0 (Okta) | Per-User (High TCO) | No native output | Reconcile Lambda required | $1,725/mo (B2B) | Full CIAM, large enterprise |
| WorkOS | Per-Connection (SCIM) | No S3/SQS output | Yes (SCIM-focused) | $125/mo | B2B SaaS enterprise logins |
| AWS AD Connector | AWS Native Gateway | No JSON export | EC2 domain-join only | AWS pricing | EC2 / WorkSpaces domain |
| n8n / Okta Workflows | iPaaS (build yourself) | Manual pipeline build | Write all sync logic yourself | $20–$50/mo | Custom workflow orchestration |
| CData Sync | Annual License | ETL to S3 | Complex setup required | $7,999/yr | Data warehouse ETL |
You're post-Series A and just landed a Fortune 500 prospect. They require SCIM-based directory sync before signing. Auth0 wants $1,725/month and three months of legal review. You need to ship in two weeks.
You maintain an HR dashboard, license management scripts, and an automated onboarding workflow. You need a reliable, secure data feed from Active Directory—not a full IAM suite with a procurement cycle.
Pre-populate DynamoDB or S3 with directory data. Your Lambda identity providers run lookups in milliseconds—no persistent LDAP connection required. Dramatically reduce authentication latency on API Gateway and Transfer Family.
SQS events fire the moment a user joins an AD group. Your Lambda provisions (or deprovisions) a SaaS seat automatically. If a downstream API is down, the message queues—nothing is ever lost.
Pipe Active Directory data into S3, then visualize in Retool, Appsmith, or Grafana. Build headcount reports, department-level license dashboards, and org-chart tools without ever touching LDAP directly.
Use versioned S3 snapshots as a retrieval source for RAG systems and LLM-powered internal tools. Query "who manages the data engineering team?" against your org's actual directory data—securely and at rest.
Close enterprise deals faster by proving SCIM-compatible directory sync from day one. Give your B2B SaaS the directory integration story enterprise IT demands—without a six-figure IAM suite invoice.
Versioned S3 objects create an immutable historical record of every directory state. Demonstrate who had access to what, when—essential for SOC2, ISO 27001, and HIPAA audits—without querying a live AD.
Identity data is your most sensitive organizational asset. Every control you'd expect from a platform with 20+ years in enterprise environments.
LDAP bind credentials are never stored in plain text. All service account DNs and passwords are encrypted via AWS Secrets Manager and can be rotated without any code changes.
Your sync account is configured with read-only access to the specific Organizational Units you define. No write permissions, no admin access, no broad directory visibility by default.
All data in transit is encrypted via TLS 1.3. Data at rest in S3 uses AES-256 server-side encryption. Upload your own Root CA certificate for LDAPS on port 636 directly in the UI.
Every sync event is logged: records added, updated, deleted, and any failures. Continuous health checks detect when LDAP is pingable but unresponsive—before your end users notice.
Deploy within your private VPC on Enterprise plans. LDAP traffic never touches the public internet. Fully compliant with zero-trust architectures and regulated industries including HIPAA candidates.
Preview every sync before it commits. An automatic safety switch halts any operation that would change or delete more than 10% of your records—preventing catastrophic misconfiguration from day one.
.pem or .crt file and upload it directly. A "Relaxed TLS" mode is also available for development environments using self-signed certificates.Free tier supports up to 250 records. No credit card required. No persistent LDAP connections. No protocol nightmares.