Lightweight Directory Access Protocol (LDAP) is a mainstay authentication protocol for IT professionals today. Created in 1993 by Tim Howes, Steve Kille, and Wengyik Yeong at the University of Michigan, and standardized by the Internet Engineering Task Force, LDAP distributes directory information over a network, i.e. as an identity provider (IdP).
As such, LDAP is crucial in modern networking, for sharing information about users, devices, networks, and apps across an organization, and for granting access to that variety of IT resources. Let鈥檚 dive into some of the best practices IT admins can employ to protect user security in LDAP.
LDAP in Practice
When employees need to access an LDAP database or an IT resource that uses an LDAP service for authentication, they input their username and password and wait for the service to grant access. Their login information is matched to the identities stored in the LDAP database and access is granted. LDAP solutions can be stored on-site or in the cloud. Cloud-based LDAP requires no onsite servers and is scalable as a business grows.
One of the most popular commercial legacy LDAP instances (or more generally a directory service) in use today is Microsoft庐 Active Directory庐. Many organizations rely on Active Directory to manage user information and authenticate resource access, but Active Directory is just one example of a directory service that can use the LDAP protocol (note that AD鈥檚 primary, preferred authentication protocol is Kerberos).
There are other directory services 鈥 many open source, such as Red Hat Directory Service, OpenLDAP鈩, Apache Directory Server, and more 鈥 and they all work with the LDAP protocol.
Protecting User Security in LDAP
Any modern hacker knows that the 鈥渒eys to the kingdom鈥 are the credentials stored in directory services like OpenLDAP, and therefore it鈥檚 essential to keep them secure. Once a hacker has access to one of the organization鈥檚 user accounts, it鈥檚 a race against the clock to prevent them from accessing critical organization data. LDAP enables access to vital infrastructure in organizations, so securing it before a breach happens is a crucial strategy. Here are some best practices for protecting user security in LDAP.
Setting Password Policies
When securing an LDAP system, a proper password policy is a crucial way to begin. Because LDAP is an authentication system, it must be configured to require strong passwords from all users, not just those with administrative rights.
A secure LDAP system will require users to create passwords that cannot be easily guessed. Generally today, NIST believes that means a long password with as many characters as possible. Most LDAP systems can be configured with conditions on the passwords used within the system.
There is debate among IT experts on whether requiring users to change passwords every few months enhances security or worsens it. Some experts believe that requiring users to change passwords every three months requires them to use less complicated passwords because they continually have to remember something new.
Others argue that having a complex password that someone cannot easily guess is enough, and there is no gain by changing it often. Regardless of what your organization鈥檚 security protocols call for, it鈥檚 important to use the most secure passwords possible to prevent them from being compromised. We鈥檇 generally suggest the longer the better.
Learn more about NIST 800-63 password guidelines.
Securing Password Storage
While IT departments must ensure they have a strong password policy, they must also implement healthy controls on the server end regarding how passwords are stored. It鈥檚 highly recommended to use cryptographic hashes to secure stored passwords, and to salt the hashes to make them difficult to crack, even if someone gains access to the database. Passwords should never be stored in a plaintext environment. Passwords must also be tunneled by SSL or TLS while in transit. This is true with the best cloud-based LDAP solutions on the market.
Guarding Against LDAP Phishing and Spoofing
LDAP spoofing is similar to website spoofing, in which hackers attempt to redirect connections from legitimate resources to destinations they control. LDAP spoofing involves delivering information appearing to come from an organization鈥檚 database by returning modified data or directing the user to another location and asking them to log in again.
A simple way to implement this attack is by tricking the user into installing a rogue browser extension or configuration profile, and then the redirections are trivial to implement. If implemented, hackers can obtain LDAP login information and access enterprise databases to gain private data. Organizations must implement strong malware controls, as well as continual user education, to avoid LDAP phishing attempts.
Cloud-Based LDAP Solutions
By using a cloud-based LDAP solution, IT admins can manage and secure their end users鈥 LDAP access from anywhere. Cloud LDAP relies on preconfigured, hosted LDAP servers, meaning less setup or maintenance work for IT staff.
The 探花大神鈩 Directory Platform is a cloud-based LDAP for modern IT organizations. With 探花大神, you鈥檒l be able to securely and centrally manage access to virtually any resource that can authenticate through LDAP 鈥 apps, VPNs, on-premises infrastructure, network attached storage, and more 鈥 all delivered as-a-Service, with no on-prem infrastructure needed. All data is encrypted in transit via LDAPS and Start TLS. Passwords stored in 探花大神 are one-way hashed and salted for security. There鈥檚 no need to install, configure, or manage your LDAP infrastructure with 探花大神.
Try Cloud LDAP Free
You can use 探花大神鈥檚 LDAP and the rest of its directory platform absolutely free for 10 users and 10 systems.
