Trick: Using LDAP to Expose your Directory to SaaS or Cloud Services

If you have Active Directory on site, or for that matter, any directory server that supports the LDAP protocol, you can use your directory for most cloud services, and this will make your life a lot easier, if done securely. Here’s a few ideas on what you can accomplish, and how to do it the best. Note this works for all of the SaaS and cloud services we offer including McAfee Email Protection, Email Archiving,  IMAP hosting, and Nagios user authentication.

  1. Account synchronization: You can automatically keep your SaaS user logins up to date using account synchronization. The SaaS service will periodically use the configuration parameters and filter you define to grab the specified accounts and attributes using the LDAP protocol. You can filter out users you don’t want in a variety of ways. One way is to use a specified attribute to record whether or not users should sync. You might find that you already have some attributes you can use to achieve the filter that you want.
  2. Password verification: Active Directory won’t allow the password to be synchronized, but you can “phone-home” for authentications, which achieves the same thing, and is arguably more secure, since the password database remains only at the customer site. In this way your users can use their active directory password at the SaaS login.

To do this securely, you’d want to make sure of a couple of things:

  1. Careful opening up your firewall: You lock down access to your server to only the IP space of the SaaS or cloud vendor. Since you’re allowing access to your LDAP/Active Directory Server on the LDAP protocol, you will want to restrict it to only those who need it.
  2. Use least privileges for remote LDAP access: Allow the least privilege possible to the account that is doing the sync. Most of the time, it will only need read access as this is a one-way synchronization. Write access should be forbidden. Also, read access to sensitive attributes (such as social security number) should be prohibited to the synchronization account.
  3. Practice good password policies: Choose a very long and difficult randomly generated password and make a schedule to update it. (See our previous post on this at http://www.rexconsulting.net/tip-tiered-passwords-emails.html).
  4. Audit and review periodically:Include this interface in your security reviews. Validate the settings, accesses, and firewall rules well and periodically.

© Copyright 2019 Rex Consulting, Inc. - All rights reserved

From an early age, Chris Paul moved frequently because his dad was in the US Air Force. Born in Germany, then moved to Alabama, then Maryland, then Naples, Italy, then California since high school, with many Christmas seasons spent in Pittsburgh, PA, the home of his grandparents.

Leave a Reply

Your email address will not be published. Required fields are marked *