Is it possible to verify LDAP credentials without storing the LDAP password as plain text

1
votes

I'm writing an application that depends on a LDAP login. When a user logs into the system with their valid LDAP credentials, an API token is granted to be used to interact with the application from that point on (API-driven web app). However, the application needs to be setup so that whenever a user is deleted from the LDAP server, the API keys are revoked as well. My plan is to setup a cronjob to periodically check if the LDAP credentials are still valid. Therefore, I'd need to save these credentials so that I can check them later. I realized though, that this would mean that I'd have to save the passwords the users provide as plain text, otherwise I would not be able to send them to the LDAP server for verification.

I'm personally not very experienced with LDAP, so I was wondering if there is any way around this. I thought about storing the hashes of the passwords, and wondered if it was somehow possible to verify the credentials by using the hash of the password instead of the password itself, but then quickly realised that this would not really be any safer, because if the database would be compromised, it does not really matter if the passwords are hashed or not if they can both be used to authenticate. The only benefit of that would be that it might be harder to check if the user uses the same password for other services.

All suggestions are appreciated. Thanks!

2
databaseauthenticationactive-directoryldap
storing passwords as plain text? really? how is this even an option? - The Bearded Llama
@TheBeardedLlama Well that's the problem I'm trying to solve :') - Roemer
Why? You don't need to login again as the user to find out whether that user still exists. Normally you login as an LDAP administrator to do searches like this. It's also debatable whether you need to detect user deletions while they have a current session. You could just let it take effect at their next (failed) login, and you could also expire the user session on deletion so that they have to try a re-login immediately, and fail. - user207421
I will add that it is very rare for a user to be deleted from LDAP. The usual practice is just to disable the account. But even this is rare enough that you don't need to provide much if anything in the way of supporting code to cover the even rarer case that the user happens to be logged in when this happens. - user207421
@EJP lots of LDAP entries are deleted everyday. It is a common occurrence that in-active entries are deleted and sometimes required for compliance including PCI and SOX regulatory purposes. - jwilleke

2 Answers

1
votes

There are, on some systems, methods to store the password in an encrypted (not hashed) fashion on the file systems.

You can of course write your own methods to encrypt and decrypt the credentials.

You can limit access to the location of the credentials by using Operating System controls.

But generally, somewhere there must be a credentials stored in plaintext.

And face it, if someone has "root" access to the server, you "Probably" can not stop them from accessing the LDAP data.

0
votes

You can store hashed password on a LDAP directory.

The bind operation of LDAP will tell you if the credentials provided are the right ones or not.

If the user is deleted the bind operation will failed naturally because there will be no longer an entry which verifies the credentials.

You could save (in your Web API backend) the user LDAP DN corresponding to the API token generated, and periodically check your directory to remove every token which leads to a non-existing entry in the directory.