How to ensure the security of admin password stored in database for synchronization with LDAP

0
votes

I have an application that needs to sync periodically to my directory service (OpenLDAP or AD).

To do so, it is necessary to bind an admin account with a DN and password, to access users on LDAP.

As far as I understand, there is the possibility of using anonymous, however for security reasons, its use is not recommended.

Since this periodic synchronization is done automatically by a routine (hourly), I need to store in addition to the account DN, also admin password in the application database.

However, passwords are usually sent to be authenticated in plaintext against directory service (within a secure SSL / TLS connection) and the directory service itself that finds its password stored in plaintext or some hash (md5, sha-1, etc.)

How to ensure the security of admin password stored in database for synchronization with LDAP? Or, is there a best practice to implement a sync periodic using LDAP?

Applications examples that require password (admin) to read LDAP.

But it does not clear how the password is stored.

1
active-directoryldapopenldap
What is your application written in? There will probably be a way to encrypt the password in your configuration, but it depends what you're using.Gabriel Luci
Dart. It has libraries on pub.dev that implement (DES, TRIPLEDES, AES, ...) crypto two-way, where it is used a private key to encrypt and decrypt. But it is not recommended to use these algorithms to store passwords, because if someone finds the private key, they will be able to discover all passwords. So it is usually used hash, but in this use case (ldap) we need the plaintext password. I look for another approach to keeping the password secure without encryp/decrypt or even a way to protect the private key used in the encryption algorithm.Muka
Do you really even need an "admin account"? Are you using it to make any changes? In Active Directory at least, any account can read from LDAP. It doesn't need any special permissions. If that's the case, there are hardly any consequences to the password being found.Gabriel Luci
No and I really would not want to have an "admin account". I only need to read and authenticate users. I am using OpenLDAP and it allows reading users without a bind (anonymous). However, I checked for information that Active Directory (maybe older version!) disabled by default anonymous reading, and then would be necessary to have an "admin account" to bind with it to read the users. Does this proceed for Active Directory?Muka

1 Answers

1
votes

It's true that anonymous bind is disabled by default in Active Directory. However, if you are just reading, you don't need an "admin" account. You need any account. The account does not need to have any special permissions. You just need something that can authenticate to the domain.

But if you're going to be authenticating users, then you will need to get the user's password, and you can just use the user's credentials to read from LDAP. That would be true for both AD and OpenLDAP.