当前位置:网站首页>How to secure users in LDAP directory service?
How to secure users in LDAP directory service?
2022-08-10 21:33:00 【nington01】
The Lightweight Directory Access Protocol (LDAP) is one of the current mainstream authentication protocols. It was created by Tim Howes, Steve Kille and Wengyik Yeong of the University of Michigan in 1993 and has been approved by the Internet Engineering Task Force (IETF).Standardization, the distribution of directory information over the network, plays the role of an identity source (IdP).
The importance of LDAP in modern networks is that the protocol participates in sharing all information about users, devices, networks, and applications in an enterprise, and is responsible for controlling access authorization to IT resources.Now let's take a closer look at best practices for securing LDAP directory service users.
I. Implementation of LDAP
When employees need to access an LDAP database or use an IT resource that requires LDAP authentication, they typically enter a username and password and wait for authorization from the directory server.After the server receives the user's login information, it matches the credentials stored in the LDAP database and grants access after matching.
One of the most commonly used traditional commercial LDAP implementations (also known as directory services) today is Microsoft's Active Directory (AD).Many enterprises use AD to manage user information and authenticate user access, and the preferred authentication protocol for AD is Kerberos.In addition, there are many directory services that support the LDAP protocol, including the open source Red Hat Directory Service, OpenLDAP, Apache Directory Server, NDS (Nington Directory Service, Ningdun Directory Service) and so on.
There is also a new form of LDAP service, cloud LDAP (Directory as a Service, DaaS).
Second,User Security in LDAP
The credentials stored in directory services such as AD and OpenLDAP are the keys to enter the enterprise database. This is already an open secret, so the data security of directory services is self-evident.Once a hacker has compromised one of the user accounts, businesses need to race against time to prevent the hacker from accessing critical data.In order to prevent it from using the credentials in LDAP to obtain access rights, it is necessary to take precautions and first strengthen the account security of the LDAP directory service.The following are best practices for securing LDAP users:
1. Set Password Policy
A correct password policy is the first step in securing LDAP.Since LDAP is an authentication system, it must be well configured to require strong passwords from all users, including administrators.
A secure LDAP service should require users to set passwords that are complex and difficult to crack, that is, long passwords that contain as many characters as possible.Most LDAP services can set password conditions used within the system.
Some companies also require users to rotate their passwords every few months, which can cause confusion for employees, and frequent password changes cause users to only set similar passwords for ease of memory.
However, no matter what the company's security specifications are, using a strong password is still very important in preventing password leakage, so it is recommended that the longer the password, the better.(More on how to avoid dissatisfaction with frequent password changes.)
2. Protect password storage
Once an appropriate password policy has been determined, IT must also implement controls on the server to manage password storage.It is strongly recommended to use a hash encryption algorithm to protect the stored passwords, and then use a salted hash algorithm to further increase the difficulty of cracking the database.It is important to note that passwords must never be stored in a plain text environment.Also in transit, the password must be tunneled over SSL or TLS.
3. Protecting Against LDAP Phishing and Spoofing
LDAP spoofing attacks are generally implemented in two ways: the first is similar to phishing URL links, which induce users to enter real AD domain account numbers and passwords by counterfeiting real URLs; the other is to induce users to install malicious browser plug-ins, and then redirects to a fake address, also tricking the user into obtaining AD login information.This allows hackers to steal sensitive corporate data.
Avoiding this type of LDAP spoofing attack requires strong malware control tools and long-term security training for users.Another efficient method is to use multi-factor authentication (MFA). Users only need to spend a few more seconds to enter a one-time dynamic password (TOTP) as an auxiliary credential. Even if the AD account or LDAP account information is leaked, hackers cannot obtain the auxiliary credential.It doesn't help either, which would prevent a lot of potential attacks.
In addition, the MFA solution of the LDAP service has another advantage, that is, enterprises do not need to require users to change passwords regularly. Dynamic passwords are a sufficiently secure means of protecting LDAP accounts, which avoids employee dissatisfaction caused by the security specification of regularly changing passwords..To get users accustomed to multi-factor authentication, administrators can set a dynamic password delay period to force employees to enable multi-factor authentication after users are trained and informed.At the same time, you can also set the duration/number of trusted terminals so as not to interfere with users or affect work efficiency.
Three, cloud-based LDAP directory scheme
The appearance of the cloud LDAP service mentioned above is a reflection of the cloud computing trend.The cloud-based LDAP solution enables enterprises to quickly provision and enable LDAP services with less up-front investment and very little IT staff investment.In addition, the pre-configured mode of the LDAP cloud service realizes lightweight operation and maintenance, and can be flexibly expanded according to business growth needs.
For the LDAP user security best practices mentioned in the previous section, the LDAP cloud service solution can meet the requirements.
NingDS Identity Directory Cloud is an LDAP cloud service that implements unified security management of various IT resources such as applications, local devices, VPNs, NAS, etc. through LDAP authentication. It can be used out of the box without local deployment.All data supports SSL encryption during transmission, and the LDAP password stored in the NingDS service is also encrypted, effectively ensuring the security of credentials.
In addition, NingDS also has built-in cloud MFA capabilities, LDAP services and MFA services are naturally integrated, and MFA can be applied to LDAP authentication scenarios without any barriers and seamlessly.
边栏推荐
- 数据标注太昂贵?这个方法可以用有限的数据训练模型实现基于文本的ReID!
- npm warn config global `--global`, `--local` are deprecated. use `--location=global` instead.
- 测试代码新的规则
- 玩转doxygen 之RT-THREAD
- LeetCode-36-Binary search tree and doubly linked list
- Using SylixOS virtual serial port, serial port free implementation system
- B. Same Parity Summands
- Single-click to cancel the function
- 【nvm】【node多版本管理工具】使用说明和踩坑(exit status 1)
- 图数据库(Neo4j)入门
猜你喜欢
数字化转型:如何引导创新领导者
优化是一种习惯●出发点是'站在靠近临界'的地方
化学制品制造业数智化供应链管理系统:建立端到端供应链采购一体化平台
Kerberos认证
LeetCode-402-移掉K位数字
Live Classroom System 08 Supplement - Tencent Cloud Object Storage and Course Classification Management
Uniapp编译后小程序的代码反编译一些思路
Mark!画出漂亮的神经网络图!神经网络可视化工具集锦搜集
Date picker component (restrict year to set only displayed months)
HighTec快捷键(Keys)设置位置
随机推荐
关于 DataFrame: 处理时间
LeetCode-498 - Diagonal Traversal
如何保护 LDAP 目录服务中的用户安全?
直播课堂系统08补-腾讯云对象存储和课程分类管理
paddle 35 paddledetection保存训练过程中的log信息
第四届红帽杯网络安全大赛
Kerberos认证
INSERT:插入操作语法&使用例——《mysql 从入门到内卷再到入土》
labelme-5.0.1版本编辑多边形闪退
管理员必须知道的RADIUS认证服务器的部署成本
如何提高代码的可读性 学习笔记
内置模板市场,DataEase开源数据可视化分析平台v1.13.0发布
用汇编带你看Golang里到底有没有值类型、引用类型
RADIUS Authentication Server Deployment Costs That Administrators Must Know
Rider调试ASP.NET Core时报thread not gc-safe的解决方法
数字化转型:如何引导创新领导者
DDL:CREATE 创建数据库——《mysql 从入门到内卷再到入土》
PPT的两个实用技巧
Interpretation of the paper (g-U-Nets) "Graph U-Nets"
第五届“强网杯”全国网络安全挑战赛(线上赛)