Notes about Active Directory integration using LDAP
I'd like to share few notes about integration into Active Directory using LDAP:
- LDAP is a directory access protocol that is used for authorisation, not an authentication protocol. Think about user who are not using passwords but smart cards or RSA SecurID one-time passwords for authentication. Even if there aren't any, there might be in future - therefore make sure authentication system is effectively separated from authorisation subsystem;
- For example, if your Web application requires a client certificate to connect, use PKI trust and don't try to match the user certificate with their userCertificate attribute in AD (which is for S/MIME);
- Make sure that upon authentication a unique attribute is used for directory lookups. Note that commonName and sAMAccountName both arent unique in AD, and UPN is;
- Do not ever use organisational units (that is, location in the directory tree) for granting access. Use groups and group membership instead;
- Make sure that you check that user account isn't locked out or disabled. Microsoft KB article How to query Active Directory by using a bitwise filter describes the LDAP query format for that. UF_ACCOUNTDISABLED and UF_LOCKOUT are the bits to look for.
Don't oversecure LDAP. It's the enterprise address book - think of Yellow Pages when you design security solutions using LDAP.