Protecting User Security in LDAP

Written by Brandon White on November 5, 2020

Share This Article

Lightweight Directory Access Protocol (LDAP) is a mainstay authentication protocol for IT professionals today. Created in 1993 by Tim Howes, Steve Kille, and Wengyik Yeong at the University of Michigan, and standardized by the Internet Engineering Task Force, LDAP distributes directory information over a network, i.e. as an identity provider (IdP).

As such, LDAP is crucial in modern networking, for sharing information about users, devices, networks, and apps across an organization, and for granting access to that variety of IT resources. Let’s dive into some of the best practices IT admins can employ to protect user security in LDAP.

LDAP in Practice

When employees need to access an LDAP database or an IT resource that uses an LDAP service for authentication, they input their username and password and wait for the service to grant access. Their login information is matched to the identities stored in the LDAP database and access is granted. LDAP solutions can be stored on-site or in the cloud. Cloud-based LDAP requires no onsite servers and is scalable as a business grows. 

One of the most popular commercial legacy LDAP instances (or more generally a directory service) in use today is Microsoft® Active Directory®. Many organizations rely on Active Directory to manage user information and authenticate resource access, but Active Directory is just one example of a directory service that can use the LDAP protocol (note that AD’s primary, preferred authentication protocol is Kerberos).

There are other directory services — many open source, such as Red Hat Directory Service, OpenLDAP™, Apache Directory Server, and more — and they all work with the LDAP protocol.

Protecting User Security in LDAP

Any modern hacker knows that the “keys to the kingdom” are the credentials stored in directory services like OpenLDAP, and therefore it’s essential to keep them secure. Once a hacker has access to one of the organization’s user accounts, it’s a race against the clock to prevent them from accessing critical organization data. LDAP enables access to vital infrastructure in organizations, so securing it before a breach happens is a crucial strategy. Here are some best practices for protecting user security in LDAP.

Setting Password Policies

When securing an LDAP system, a proper password policy is a crucial way to begin. Because LDAP is an authentication system, it must be configured to require strong passwords from all users, not just those with administrative rights.

A secure LDAP system will require users to create passwords that cannot be easily guessed. Generally today, NIST believes that means a long password with as many characters as possible. Most LDAP systems can be configured with conditions on the passwords used within the system.

There is debate among IT experts on whether requiring users to change passwords every few months enhances security or worsens it. Some experts believe that requiring users to change passwords every three months requires them to use less complicated passwords because they continually have to remember something new.

Others argue that having a complex password that someone cannot easily guess is enough, and there is no gain by changing it often. Regardless of what your organization’s security protocols call for, it’s important to use the most secure passwords possible to prevent them from being compromised. We’d generally suggest the longer the better.

Learn more about NIST 800-63 password guidelines.

Securing Password Storage

While IT departments must ensure they have a strong password policy, they must also implement healthy controls on the server end regarding how passwords are stored. It’s highly recommended to use cryptographic hashes to secure stored passwords, and to salt the hashes to make them difficult to crack, even if someone gains access to the database. Passwords should never be stored in a plaintext environment. Passwords must also be tunneled by SSL or TLS while in transit. This is true with the best cloud-based LDAP solutions on the market.

Guarding Against LDAP Phishing and Spoofing

LDAP spoofing is similar to website spoofing, in which hackers attempt to redirect connections from legitimate resources to destinations they control. LDAP spoofing involves delivering information appearing to come from an organization’s database by returning modified data or directing the user to another location and asking them to log in again.

A simple way to implement this attack is by tricking the user into installing a rogue browser extension or configuration profile, and then the redirections are trivial to implement. If implemented, hackers can obtain LDAP login information and access enterprise databases to gain private data. Organizations must implement strong malware controls, as well as continual user education, to avoid LDAP phishing attempts.

Cloud-Based LDAP Solutions

By using a cloud-based LDAP solution, IT admins can manage and secure their end users’ LDAP access from anywhere. Cloud LDAP relies on preconfigured, hosted LDAP servers, meaning less setup or maintenance work for IT staff. 

The JumpCloud™ Directory Platform is a cloud-based LDAP for modern IT organizations. With JumpCloud, you’ll be able to securely and centrally manage access to virtually any resource that can authenticate through LDAP — apps, VPNs, on-premises infrastructure, network attached storage, and more — all delivered as-a-Service, with no on-prem infrastructure needed. All data is encrypted in transit via LDAPS and Start TLS. Passwords stored in JumpCloud are one-way hashed and salted for security. There’s no need to install, configure, or manage your LDAP infrastructure with JumpCloud.

Try Cloud LDAP Free

You can use JumpCloud’s LDAP and the rest of its directory platform absolutely free for 10 users and 10 systems. Get started today!

Brandon White

Brandon is an enthusiast, solutionist, and JumpCloud’s Technical Evangelist, active in journalism and IT in cities across the US for over 25 years. Pick his brain on Slack in the JumpCloud Lounge:

Continue Learning with our Newsletter