1

Best practices for implementing centralized authentication system like LDAP servers?

Comments
  • 1
    The LDAP server should be redundant, consider having emergency administrative accounts if the LDAP is not availablw. (e.g. a local databas

    You also might want to consider:
    - Make the LDAP server redundant, if you haven't already
    - Have emergency access (e.g. with a local account db) in case the LDAP server does not work
    - Is the Account "meta data" (Permissions, ...) in the LDAP-tree, to (like Microsoft Exchange does), or in another database (Owncloud, Gitlab...). The first approach allows to restore most application data from LDAP, while the second one allows to have multiple authentication backends with less work, additionally the application does not need to write to the LDAP database directly.
    - Beware of LDAP injections, as there are no prepared queries like most SQL implementations have (your LDAP library might have emulated ones, safe LDAP escaping is possible)

    Practically, check if your server has the groupOf-attribute of entries. Microsoft AD has it, but for OpenLDAP it has to be activated manually.

    Last but not least: A compromise of your application server with LDAP authentication automatically means _ALL SERVICES USING THE SAME BACKEND_ are compromised, as the attacker just has to wait for passwords.
    Consider using secure single sign-on protocols (SAML, Kerberos, OpenID Connect / OAuth) for user authentication.
Add Comment