Tuesday, January 17, 2023

Open Source Directory Services and Spring Integrations (Apache Directory Service / Open LDAP / Spring LDAP integration / Apache Directory Studio)


Figure 1 - Secure LDAP Client Server Communication

Directory Service

Directory service is a database that stores information about Organization's users, user groups, assets, departments, user login details including usernames and passwords. This maintain single high available service for  all authentication and authorization. This is very critical system for Organization as it maintain Organizational Structure including Personally Identifiable data.

Open Source Options for Directory Services

There are many Free and Open Source Directory Services and they have their own pros and cons. Below are the most famous Directory Services available for FOSS community. 


1st Option - Linux installation of Apache Directory Services with Apache Directory Studio

          Apache Directory Studio comes with Directory Service with UI for managing Directory Structure

Step 1 : Download https://directory.apache.org/studio/ 

         Step 2 : Extract it and run using below command

                       ./ApacheDirectoryStudio

Change Default Passwords

Step 1 :   First add new Apache Directory Server as below

                   


 






           



Step 2 :   Right click and Open Configurations

You can change LDAP ports , Enable Kerberos as preferred.

Also notice that Admin user's default DC ( Domain Component ) and OU ( Organizational Unit details )

dc=example,dc=com


Step 3 :   Then start Apache Directory Server as below

                Right click on Server and Start



 



 



          



Step 4: Create LDAP connection. Use Secure LDAP port

Right click on Connection -> New Connection -> Use Secure LDAP port -> Select Encryption Method as SSL

View, Verify and Accept certificates


    





Step 5: Create LDAP connection. Use Secure LDAP port

Check Admin Account. Use bind user details and password as below. Verify Password and Finish the setup

Bind User : uid=admin,ou=system

Password  : secret

































Step 6: Enable Change Password Options

Go to connections -> Select the connection -> Change Edit options from Default to Replace













Step 7: Change Admin Password

Select Admin  user from the Directory Tree -> Double click on password -> Add new password
Select SHA encryption type








Create Users with Password Security

Step 1 : Right click on users and add new Entry. Select inetOrgPerson from drop down and proceed



























Step 2 Add Unique ID for User and enter common name , surname and other user details
















Step 3 Add password for the user. Make sure to encrypt with strong password





























Spring Integration with LDAP

Do no use Admin user credential for LDAP integration. Instead you have to use separate account like below


Step 1: Install Secure LDAP certificate in to JRE cacerts using below steps

Generate Certificate

echo -n | openssl s_client -connect localhost:10636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem

Backup JRE cacert file

cd <JRE HOME>/lib/security

cp cacerts cacerts-original-18-Jan-2023

Create Binary file of Certificate

openssl x509 -outform der -in ldapserver.pem -out ldapserver.der

Import Certificate File to JRE Keystore

keytool -import -alias local-apache-ds -keystore cacerts -file certificate.der


Step 2 : Go to the newly created account and right click on properties.

Find below properties.

DN  : uid=saminda,ou=users,ou=system

URL : ldaps://localhost:10636/uid=saminda,ou=users,ou=system           
















Step 3: Use above values for Spring LDAP bean configurations as below


<security:authentication-manager>

<security:authentication-provider ref="LDAPProvider"/>

</security:authentication-manager>


<beans:bean id="LDAPProvider"

class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">

<beans:constructor-arg>

<beans:bean

class="org.springframework.security.ldap.authentication.BindAuthenticator">

<beans:constructor-arg ref="contextSource"/>

<beans:property name="userSearch" ref="userSearch"/>

</beans:bean>

</beans:constructor-arg>

<beans:constructor-arg ref="grantedAuthoritiesPopulator"/>

</beans:bean>

<beans:bean id="userSearch" class="com.mycompany.CustomLdapUserSearch">

<beans:constructor-arg value="ou=users,ou=system"/>

<beans:constructor-arg value="(objectClass=inetOrgPerson)"/>

<beans:constructor-arg ref="contextSource"/>

<beans:property name="searchSubtree" value="true"/>

</beans:bean>

<beans:bean id="contextSource"

class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">

<beans:constructor-arg value="ldaps://localhost:10636"/>

<beans:property name="userDn" value="uid=saminda,ou=users,ou=system" />

<beans:property name="password" value="XXXXXXX" />

</beans:bean>


LDAP Spring Error Handling

<beans:bean id="authenticationFailureHandlerException"

class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">

<beans:property name="exceptionMappings">

<beans:props>

<beans:prop key="org.springframework.security.authentication.BadCredentialsException">/?error=Invalid user name or password. Please re-enter.</beans:prop>

<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/?error=Your credentials has been expired</beans:prop>

<beans:prop key="org.springframework.security.authentication.LockedException">/?error=Your account has been locked</beans:prop>

            <beans:prop key="org.springframework.security.authentication.DisabledException">/?error=Sorry unable to login with this account, please contact the administrator</beans:prop>

</beans:props>

</beans:property>

</beans:bean>


LDAP Performance Factors


Make sure to retrieve only required information by by constructing exact query

Enable caching with cache evict period in LDAP trees

Better to query the subset of tree hierarchy rather than entire tree hierarchy. 

Correct LDAP tree indexes can increase search performance

Enforce LDAP query timeouts


Security Concerns in LDAP integrations

1. Vulnerable to Man in the Middle Attack

2. Enforce Mandatory SSL/TLS3 communication

3. Server side request validation

4. IP whitelisting and Jump server integration

5. Strong 2 Factor Authentication before comes to LDAP communication

6. Mandatory LDAP binding before proceed with LDAP operations

7. Enforce default security including password encryption

8. LDAP server must be located in secured network

9. Avoid on-prem LDAP deployments as most of Security Threats initiated inside Organizations

10. Make sure to change JDK keystore default passwords


2nd Option - Linux installation of OpenLDAP Services

          Note : No need to install 2 type of directory services. Below is for the experiment only.

          Step 1 : Installation Command

                       sudo apt-get update

                       sudo apt install slapd ldap-utils


Step 2Check service status 

systemctl enable slapd

sudo systemctl start slapd

systemctl status slapd

 

Step 3: Change Default Admin Passwords

Use below command and enter relevant details as below.

sudo dpkg-reconfigure slapd






















Step 4: You can download any available LDAP admin portal that supports Open LDAP 

             Follow similar steps we followed in Apache Directory Services with Apache Directory Studio


Step 5 : You can generate OpenLDAP account passwords using below command

              sudo slappasswd 


Step 6: Install php ldap admin and you can manage Open LDAP tree hierarchy 

https://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page