Password Encryption for LDAP Integration
Before implementing password encryption, you must be running JRE 1.5 or higher.
While LDAP is an open source standard, different providers, even different installations, will affect encryption. The standard binding mechanism for any LDAP will use simple binding or clear text passwords over the network. If the network is trusted between the application server and the LDAP server, this connection may be sufficient and further security may not be needed. However, if password encryption is needed, Suite uses a different secure binding process for OpenLDAP or Active Directory. Below, each supported provider is listed with particular implantation issues and expectations, including particulars for secure binding.
Microsoft Active Directory
Suite uses Active Directory’s LDAP implementation to authenticate a particular user. Because of this implementation, a user may use one of the following methods to identify themselves.
- Distinguished name
Active Directory uses Kerberos for secure authentication to a domain controller. Activating Kerberos authentication should be straightforward as long as the Active Directory domain (entered in all caps), and the Kerberos domain controller (server:domain) are specified in the appropriate fields in Suite.
Two caveats with Kerberos authentication exist:
- With Kerberos security, usernames become case sensitive for authentication.
- If a particular credential set does not work and you feel it should, try the following:
- Make sure of the case sensitivity.
- Change the user’s password on the network; a known issue exists with using Kerberos authentication for users who have not changed their password at least once.
Suite relies on the use of LDAP objects of the class type “groupofnames” in OpenLDAP. It uses the parameter list of member items to match distinguished names of the members of this group for access rights to Suite.
The only mechanism for binding to OpenLDAP is with a valid Distinguished Name. To help with user login and the length of most distinguished names, Suite attempts to expand particular string patterns to fully qualified distinguished names. See Valid Login Syntax for LDAP.
If secure/encrypted logins are desired against an OpenLDAP server, Suite uses DIGEST-MD5 as the strong authentication method. This method requires and assumes a proper and working installation of the SASL system. Specifically a user’s Distinguished Name must be able to be used to authenticate against the SASL database. (The easiest way to accomplish this task is to provide a mapping from a qualified Distinguished Name to the user in the LDAP server in the SASL configuration and to store passwords in the LDAP server database.)