Set Up and Manage a Secure LDAP Infrastructure

Written by Zach DeMeyer on November 6, 2020

Share This Article

Lightweight Directory Access Protocol (LDAP) is a crucial aspect of many organizations: it provides a standard authentication protocol that can be leveraged by a range of IT resources such as applications, servers, storage infrastructure, and networking equipment for controlling access. Even for an IT manager who isn’t familiar with LDAP, the technology is often present in any directory service. 

Directory services, such as Microsoft’s Active Directory®, store usernames and passwords and then allow employees to use that information to connect with various company resources and applications.

LDAP is one of the authentication protocols powering this process. In short, it’s a way to ensure the right users can access the right IT services without needing a unique login for each application. When LDAP was created it was a game changing innovation that led to central management of IT networks, which in the early 1990s was challenging.

LDAP is a standard part of an identity and access management (IAM) tool that IT organizations implement. Still, it can lead to significant security challenges if it’s not set up safely and in a way that’ll scale as an organization grows. It’s difficult to fix a poorly implemented LDAP solution after it’s deployed, so proper security protocols must be implemented on the front end.

When setting up your LDAP server, it’s essential to follow a few best practices to ensure security, reliability, and scalability.

How To Set Up and Manage Secure LDAP

The lowest level of permissions

Because of how critical an LDAP solution is to an organization, giving the fewest users high-level access is an essential first step to implementation. The higher the access for a given user, the more damage that could occur if their account is breached. It’s better to start every user on a low level of permissions and raise as needed. 

For the administrators of an LDAP solution, the account they use daily should not have high administrative access. The administrative logins should be reserved only to be used when necessary. Proper controls should be implemented so only the employees with the knowledge of how the LDAP solution functions are allowed to access the server with administrative privileges.

Avoid plain text passwords

If an employee’s credentials are compromised, one of the first things a hacker will look for is additional login information to gain access to even more parts of the company infrastructure. If passwords are stored in plain text in your LDAP solution, the entire company directory could be compromised. 

A properly secured LDAP solution will use cryptographic hashes to secure stored passwords and salt the hashes to make them difficult to crack. By putting these controls in place, a secondary layer of defense against one compromised user that may lead to the entire company becoming compromised will be implemented.

LDAP security behind a firewall

Before deploying a new LDAP solution, a network firewall should be implemented to protect remote access to the server. You’ll want to ensure that it only allows access over SSL or LDAP/STARTTLS. You’ll also want to use firewall rules to restrict traffic to approved IP addresses from approved company applications, and open only the ports and protocols necessary for proper company operations. 

An audit of these ports and protocols should be done on a regular basis to ensure that modifications are not needed. The mindset of keeping it as locked down as possible should be followed.

Apply regular security updates

Regardless of the type of LDAP solution implemented, it’s crucial to develop policies around security updates. While proper testing is required to make sure updates do not break access to company resources, security patches must be applied as soon as possible.

When known vulnerabilities are available to hackers, they will be looking for servers that have yet to use the proper patches to gain unauthorized access.

Leverage a scalable solution

When designing an LDAP solution, scalability must be considered. If your organization frequently has users traveling or remotely working, a cloud-based LDAP solution is an option that provides the functionality of LDAP with none of the setup or maintenance. With JumpCloud®’s cloud-based LDAP solution, IT organizations can access on-premises, legacy, and other cloud apps without setting up and securing their own LDAP solution. 

With a cloud-based LDAP solution, a company gets access to a global network of LDAP servers, so authentication is not connecting back to the corporate office to authenticate users. This benefit leads to lower latency and higher availability of company resources. Data is encrypted in transit via LDAPS & Start TLS, and passwords are one-way hashed and salted, ensuring robust security.

As an organization adds or removes employees, onboarding is handled by the cloud-based LDAP solution, so there is a single company identity with a centralized portal to access company resources, reset passwords, or manage other account settings. 

Get started today with a JumpCloud Free account to test drive a cloud-based LDAP solution and take the guesswork out of managing LDAP.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter