How to secure users in LDAP directory service?

The Lightweight Directory Access Protocol (LDAP) is one of the current mainstream authentication protocols. It was created by Tim Howes, Steve Kille and Wengyik Yeong of the University of Michigan in 1993 and has been approved by the Internet Engineering Task Force (IETF).Standardization, the distribution of directory information over the network, plays the role of an identity source (IdP).

The importance of LDAP in modern networks is that the protocol participates in sharing all information about users, devices, networks, and applications in an enterprise, and is responsible for controlling access authorization to IT resources.Now let's take a closer look at best practices for securing LDAP directory service users.

I. Implementation of LDAP

When employees need to access an LDAP database or use an IT resource that requires LDAP authentication, they typically enter a username and password and wait for authorization from the directory server.After the server receives the user's login information, it matches the credentials stored in the LDAP database and grants access after matching.

One of the most commonly used traditional commercial LDAP implementations (also known as directory services) today is Microsoft's Active Directory (AD).Many enterprises use AD to manage user information and authenticate user access, and the preferred authentication protocol for AD is Kerberos.In addition, there are many directory services that support the LDAP protocol, including the open source Red Hat Directory Service, OpenLDAP, Apache Directory Server, NDS (Nington Directory Service, Ningdun Directory Service) and so on.

There is also a new form of LDAP service, cloud LDAP (Directory as a Service, DaaS).

Second,User Security in LDAP

The credentials stored in directory services such as AD and OpenLDAP are the keys to enter the enterprise database. This is already an open secret, so the data security of directory services is self-evident.Once a hacker has compromised one of the user accounts, businesses need to race against time to prevent the hacker from accessing critical data.In order to prevent it from using the credentials in LDAP to obtain access rights, it is necessary to take precautions and first strengthen the account security of the LDAP directory service.The following are best practices for securing LDAP users:

1. Set Password Policy

A correct password policy is the first step in securing LDAP.Since LDAP is an authentication system, it must be well configured to require strong passwords from all users, including administrators.

A secure LDAP service should require users to set passwords that are complex and difficult to crack, that is, long passwords that contain as many characters as possible.Most LDAP services can set password conditions used within the system.

Some companies also require users to rotate their passwords every few months, which can cause confusion for employees, and frequent password changes cause users to only set similar passwords for ease of memory.

However, no matter what the company's security specifications are, using a strong password is still very important in preventing password leakage, so it is recommended that the longer the password, the better.(More on how to avoid dissatisfaction with frequent password changes.)

2. Protect password storage

Once an appropriate password policy has been determined, IT must also implement controls on the server to manage password storage.It is strongly recommended to use a hash encryption algorithm to protect the stored passwords, and then use a salted hash algorithm to further increase the difficulty of cracking the database.It is important to note that passwords must never be stored in a plain text environment.Also in transit, the password must be tunneled over SSL or TLS.

3. Protecting Against LDAP Phishing and Spoofing

LDAP spoofing attacks are generally implemented in two ways: the first is similar to phishing URL links, which induce users to enter real AD domain account numbers and passwords by counterfeiting real URLs; the other is to induce users to install malicious browser plug-ins, and then redirects to a fake address, also tricking the user into obtaining AD login information.This allows hackers to steal sensitive corporate data.

Avoiding this type of LDAP spoofing attack requires strong malware control tools and long-term security training for users.Another efficient method is to use multi-factor authentication (MFA). Users only need to spend a few more seconds to enter a one-time dynamic password (TOTP) as an auxiliary credential. Even if the AD account or LDAP account information is leaked, hackers cannot obtain the auxiliary credential.It doesn't help either, which would prevent a lot of potential attacks.

In addition, the MFA solution of the LDAP service has another advantage, that is, enterprises do not need to require users to change passwords regularly. Dynamic passwords are a sufficiently secure means of protecting LDAP accounts, which avoids employee dissatisfaction caused by the security specification of regularly changing passwords..To get users accustomed to multi-factor authentication, administrators can set a dynamic password delay period to force employees to enable multi-factor authentication after users are trained and informed.At the same time, you can also set the duration/number of trusted terminals so as not to interfere with users or affect work efficiency.

Three, cloud-based LDAP directory scheme

The appearance of the cloud LDAP service mentioned above is a reflection of the cloud computing trend.The cloud-based LDAP solution enables enterprises to quickly provision and enable LDAP services with less up-front investment and very little IT staff investment.In addition, the pre-configured mode of the LDAP cloud service realizes lightweight operation and maintenance, and can be flexibly expanded according to business growth needs.

For the LDAP user security best practices mentioned in the previous section, the LDAP cloud service solution can meet the requirements.

NingDS Identity Directory Cloud is an LDAP cloud service that implements unified security management of various IT resources such as applications, local devices, VPNs, NAS, etc. through LDAP authentication. It can be used out of the box without local deployment.All data supports SSL encryption during transmission, and the LDAP password stored in the NingDS service is also encrypted, effectively ensuring the security of credentials.

In addition, NingDS also has built-in cloud MFA capabilities, LDAP services and MFA services are naturally integrated, and MFA can be applied to LDAP authentication scenarios without any barriers and seamlessly.