Set Password Complexity for LDAP

Written by Zach DeMeyer on June 10, 2019

Share This Article

Do you need to set password complexity for LDAP resources? Chances are, your organization is concerned with the threat of identity breach, so upping user password complexity requirements makes a great deal of sense. Although it’s certainly possible to configure password complexity settings with LDAP, it’s not as straightforward as one might think.

Password Complexity in LDAP Implementations

Historically, the two most popular implementations of LDAP have been OpenLDAP™, the open-source hub for LDAP, and Microsoft® Active Directory®, the Windows®-centric commercial directory service. When it comes to setting password complexity between the two, the approach is varied.


For OpenLDAP, password complexity is set at the user account level. As you can imagine, as an open source protocol and open source server implementation, there are a wide range of configurable password complexity options. IT admins can generally use commands in OpenLDAP to adjust how complex their organization’s passwords are. The most popular repository of commands was the draft-behera-ldap-password-policy until it became defunct upon its expiry in 2010.

Although OpenLDAP is capable of high configurability, with greater flexibility often comes greater configuration and management. This is true of the notoriously technical OpenLDAP in general, and their password complexity features are no different.

Active Directory

Active Directory (AD) is not technically a dedicated LDAP instance like OpenLDAP, but the directory service itself can leverage the protocol, allowing users to authenticate to LDAP resources using their AD identities. Password complexity in AD is usually managed in one of two ways.

The first method is via the Windows Default Password Policy. This inherent feature in Windows offerings uses fairly industry-standard conventions for password complexity. The two core requirements are that the password cannot match the username and the password must include three different character types, including upper and lower case letters, numbers, special characters, etc. This policy is applied to users through a Group Policy Object (GPO).

The second method is through a Fine Grained Password Policy (FGPP). An FGPP is a configurable requirement that is acted directly on the user or object. As such, admins can adjust the password complexity on a more granular level as their organization demands. This feature has been available since Windows Server 2008, and has since been updated in newer versions.

The Rub

While both OpenLDAP and Active Directory feature configurable password requirements, many IT admins are still feeling unsatisfied. After all, both solutions are designed to be used on-prem (on top of the fact that both solutions are difficult to implement without the proper technical know-how).

With a majority of organizations looking to move their IT infrastructure to the cloud, the idea of using on-prem identity management solutions is somewhat unappealing. In an ideal world, IT admins could leverage a tool that allows them to set password complexity for LDAP, as well as their other IT resources, from the cloud.

Enter: LDAP-as-a-Service

Thankfully, there is a next-generation directory services solution that can do just that. Using a globally-hosted network of OpenLDAP servers, this LDAP-as-a-Service gives admins the functionality of OpenLDAP with none of the hassle of actually setting up and managing it. This cloud directory featuring LDAP-as-a-Service uses a browser-based admin console, which features easily configured password complexity settings.

The next-gen cloud directory service doesn’t stop at LDAP-as-a-Service, however. It is a full-fledged directory service, capable of managing users and their access to systems, email, networks, applications, and more from a single pane of glass. This includes GPO-like Policies for cross-platform system and user management, single sign-on (SSO) through SAML, network authentication via RADIUS, and more.

That means, by setting password complexity for LDAP, you’re setting it for almost all resources your end users leverage; a user in this cloud directory service only needs one secure identity for everything. In essence, it is a complete reimagination of AD and LDAP, available worry-free from the cloud.

Try LDAP-as-a-Service Free

This cloud directory service is called JumpCloud® Directory-as-a-Service®. Using JumpCloud, IT organizations can join the over 75,000 fellow organizations that have shifted their identity management to the cloud.

You can use Directory-as-a-Service completely free for the first ten users in your organization. Just sign up for JumpCloud today; it’s risk free, requires no credit card, and guarantees you ten users for free in the platform, forever.

If you would like to learn more about using JumpCloud to set password complexity for all of your IT resources, or just about the product as a whole, please contact us. We’d be happy to help start you on your JumpCloud journey.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter