A 14-year-old LDAP server, gracefully retired.

A university network ran a 14-year-old OpenLDAP server as the authentication backbone for 30+ internal applications. It worked. It was also a single point of failure with no maintainer. We migrated identity to Cognito and let LDAP retire with dignity.

INDUSTRY

University network

DOMAIN

MIGRATION

DELIVERED

2024

STACK

AWS COGNITO·COGNITO FEDERATED IDP·OKTA (TRANSITIONAL)·AD CONNECTOR·CUSTOM AUTHENTICATION·LDAP (RETIRED)

RESULTS

What changed, by the numbers.

SPOF ELIMINATED

YES

LDAP RETIRED

APPS MIGRATED

CUSTOM SAML/OIDC EACH

USERS

12,400

TRANSPARENTLY MIGRATED

MAINTAINER

AWS

WAS NOBODY

HOW IT WENT

The institutional knowledge about the LDAP server had concentrated in one person who had retired. The server itself was running well, but every change request was a careful exercise in archaeology. Nobody wanted to be the person who took it down.

We migrated app by app — Cognito User Pools held the consolidated identity store, with federated providers connecting to Okta where the university had Okta tenancy. The custom-built apps (mostly internal tools) got OIDC integrations, replacing the LDAP-bind authentication.

Twelve weeks from kickoff to last app migrated. LDAP was shut down with a documented rollback path that we never had to use. The retired engineer was invited back to see it off — they laughed and asked what we’d do for an encore.

RELATED · SAME DOMAIN

Other engagements in this space.

TEMPO · 2025

Self-hosted Kafka, retired without losing a partition.

−92%OPERATIONAL HOURS / WEEK

VELVET · 2024

Auth0 to Cognito, with social logins and password resets intact.

−96%AUTH BILL

PREVIOUSRAMBLE — Lambda memory tuned for cost, not for vibe.NEXT WHARF — Engineering cost ownership, by team, by day.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →