Friday, January 20, 2023
Tuesday, January 17, 2023
Open Source Directory Services and Spring Integrations (Apache Directory Service / Open LDAP / Spring LDAP integration / Apache Directory Studio)
Directory Service
Directory service is a database that stores information about Organization's users, user groups, assets, departments, user login details including usernames and passwords. This maintain single high available service for all authentication and authorization. This is very critical system for Organization as it maintain Organizational Structure including Personally Identifiable data.
Open Source Options for Directory Services
There are many Free and Open Source Directory Services and they have their own pros and cons. Below are the most famous Directory Services available for FOSS community.
1st Option - Linux installation of Apache Directory Services with Apache Directory Studio
Apache Directory Studio comes with Directory Service with UI for managing Directory Structure
Step 1 : Download https://directory.apache.org/studio/
Step 2 : Extract it and run using below command
./ApacheDirectoryStudio
Change Default Passwords
Step 1 : First add new Apache Directory Server as below
Step 2 : Right click and Open Configurations
You can change LDAP ports , Enable Kerberos as preferred.
Also notice that Admin user's default DC ( Domain Component ) and OU ( Organizational Unit details )
dc=example,dc=com
Step 3 : Then start Apache Directory Server as below
Step 4: Create LDAP connection. Use Secure LDAP port
Right click on Connection -> New Connection -> Use Secure LDAP port -> Select Encryption Method as SSL
View, Verify and Accept certificates
Step 5: Create LDAP connection. Use Secure LDAP port
Bind User : uid=admin,ou=system
Password : secret
Step 6: Enable Change Password Options
Go to connections -> Select the connection -> Change Edit options from Default to Replace
Step 7: Change Admin Password
Create Users with Password Security
Step 1 : Right click on users and add new Entry. Select inetOrgPerson from drop down and proceed
Step 2 : Add Unique ID for User and enter common name , surname and other user details
Step 3 : Add password for the user. Make sure to encrypt with strong password
Spring Integration with LDAP
Do no use Admin user credential for LDAP integration. Instead you have to use separate account like below
Step 1: Install Secure LDAP certificate in to JRE cacerts using below steps
Generate Certificate
echo -n | openssl s_client -connect localhost:10636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
Backup JRE cacert file
cd <JRE HOME>/lib/security
cp cacerts cacerts-original-18-Jan-2023
Create Binary file of Certificate
openssl x509 -outform der -in ldapserver.pem -out ldapserver.der
Import Certificate File to JRE Keystore
keytool -import -alias local-apache-ds -keystore cacerts -file certificate.der
Step 2 : Go to the newly created account and right click on properties.
Find below properties.
DN : uid=saminda,ou=users,ou=system
URL : ldaps://localhost:10636/uid=saminda,ou=users,ou=system
Step 3: Use above values for Spring LDAP bean configurations as below
<security:authentication-manager>
<security:authentication-provider ref="LDAPProvider"/>
</security:authentication-manager>
<beans:bean id="LDAPProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="grantedAuthoritiesPopulator"/>
</beans:bean>
<beans:bean id="userSearch" class="com.mycompany.CustomLdapUserSearch">
<beans:constructor-arg value="ou=users,ou=system"/>
<beans:constructor-arg value="(objectClass=inetOrgPerson)"/>
<beans:constructor-arg ref="contextSource"/>
<beans:property name="searchSubtree" value="true"/>
</beans:bean>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldaps://localhost:10636"/>
<beans:property name="userDn" value="uid=saminda,ou=users,ou=system" />
<beans:property name="password" value="XXXXXXX" />
</beans:bean>
LDAP Spring Error Handling
<beans:bean id="authenticationFailureHandlerException"
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.BadCredentialsException">/?error=Invalid user name or password. Please re-enter.</beans:prop>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/?error=Your credentials has been expired</beans:prop>
<beans:prop key="org.springframework.security.authentication.LockedException">/?error=Your account has been locked</beans:prop>
<beans:prop key="org.springframework.security.authentication.DisabledException">/?error=Sorry unable to login with this account, please contact the administrator</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
LDAP Performance Factors
Make sure to retrieve only required information by by constructing exact query
Enable caching with cache evict period in LDAP trees
Better to query the subset of tree hierarchy rather than entire tree hierarchy.
Correct LDAP tree indexes can increase search performance
Enforce LDAP query timeouts
Security Concerns in LDAP integrations
1. Vulnerable to Man in the Middle Attack
2. Enforce Mandatory SSL/TLS3 communication
3. Server side request validation
4. IP whitelisting and Jump server integration
5. Strong 2 Factor Authentication before comes to LDAP communication
6. Mandatory LDAP binding before proceed with LDAP operations
7. Enforce default security including password encryption
8. LDAP server must be located in secured network
9. Avoid on-prem LDAP deployments as most of Security Threats initiated inside Organizations
10. Make sure to change JDK keystore default passwords
2nd Option - Linux installation of OpenLDAP Services
Note : No need to install 2 type of directory services. Below is for the experiment only.
Step 1 : Installation Command
sudo apt-get update
sudo apt install slapd ldap-utils
Step 2: Check service status
systemctl enable slapd
sudo systemctl start slapd
systemctl status slapd
Step 3: Change Default Admin Passwords
Use below command and enter relevant details as below.
sudo dpkg-reconfigure slapd
Step 4: You can download any available LDAP admin portal that supports Open LDAP
Follow similar steps we followed in Apache Directory Services with Apache Directory Studio
Step 5 : You can generate OpenLDAP account passwords using below command
sudo slappasswd
Step 6: Install php ldap admin and you can manage Open LDAP tree hierarchy
https://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page