Notes about Active Directory integration using LDAP

I’d like to share few notes about integration into Active Directory using LDAP:

  • LDAP is a directory access protocol that is used for authorisation, not an authentication protocol. Think about user who are not using passwords but smart cards or RSA SecurID one-time passwords for authentication. Even if there aren’t any, there might be in future – therefore make sure authentication system is effectively separated from authorisation subsystem;

  • For example, if your Web application requires a client certificate to connect, use PKI trust and don’t try to match the user certificate with their userCertificate attribute in AD (which is for S/MIME);

  • Make sure that upon authentication a unique attribute is used for directory lookups. Note that commonName and sAMAccountName both arent unique in AD, and UPN is;

  • Do not ever use organisational units (that is, location in the directory tree) for granting access. Use groups and group membership instead;

  • Make sure that you check that user account isn’t locked out or disabled. Microsoft KB article How to query Active Directory by using a bitwise filter describes the LDAP query format for that. UF_ACCOUNTDISABLED and UF_LOCKOUT are the bits to look for.

Don’t oversecure LDAP. It’s the enterprise address book – think of Yellow Pages when you design security solutions using LDAP.

Leave a Reply

Your email address will not be published. Required fields are marked *