27Eyl
What are the security best practices for clients authenticating users with password against LDAP?
To secure an OpenLDAP environment I'm investigating what the security best practices are with regards to authenticating users with passwords (e.g. no Kerberos or SSL Client Certificate authentication).
From what I understand, there are two approaches for user authentication:
- Comparing password with userPassword attribute.
- The client binds to the LDAP server using a specified bind user
- The client sends an LDAP query to retrieve the user entry
- The client extracts the userPassword hashing scheme
- The client hashes the password provided by the user with the extracted hashing scheme and compares it with the hased password in the userPassword attribute
- If both hashes match, the user is authenticated successful, otherwise authentication failed
- LDAP Bind with user and password
- The client binds to the LDAP server using the user who wants to log in and the password he provided
- If the LDAP Bind was succesfull, the authentication is succesfull, otherwise authentication failed
It seems many implementation are still using the first approach, whereas the second approach seems to be more secure and also allows Pass Through authentication.
- If users need to be authenticated with a password, what are the security best practices for authenticating against LDAP and are they documented somewhere?
- Are there any other approaches than the one described above?
