LDAPS – Security & Enables Additional Features
By enabling LDAPS on an Active Directory Domain Controller, Foldr can be configured to authenticate users securely over LDAP using SSL port 636. Along with the security benefits that this brings, additional password features are also then available within Foldr:
- Password Control
- Delegated Password Control
- Self Service Password Reset
Enabling LDAPS on a Windows domain controller is typically done by default after installing the Domain Certificate Services >> Enterprise CA role in Server Manager. However, there are considerations to be made when enabling this in your AD infrastructure. It can also be achieved by installing signed certificates obtained via a recognised certificate authority:
Allows users to change their own Active Directory password from within Foldr itself using the web interface or the iOS or Android apps. Likewise, if the users password has expired or is set to change at next logon then they will be prompted to change the password when the sign into any of the Foldr apps (web, mobile or desktop)
To enable the feature:
- Ensure the domain controller is configured to accept LDAPS connections on port 636 (Use LDP utility on the Windows DC to confirm)
- Configure the LDAP Server within Foldr Settings >> General >> LDAP Server to use the prefix ldaps://
- Enable Password Control within Foldr Settings >> Security >> Password Settings
In addition to password reset, Foldr will handle password expiration gracefully and respects complexity required set by an organisation’s password policy. In the event of a password expiring, the user will be prompted to change their password from the Foldr interface (web, iOS or Android)
Enforcing the use of strong passwords
Foldr will respect any password policies set on the domain in Active Directory, however the Foldr administrator can also apply password policies in Foldr to affect both domain and local accounts on the appliance itself. To configure a password policy in Foldr, navigate to Foldr Settings >> Security >> Password Policies. Policies can be set to apply to all users or specific groups or individual accounts as required.
By integrating with a third party service, Foldr is able to prevent users from choosing weak passwords when they change their password through any of the Foldr apps. A weak password is considered to be one that has has previously been exposed in a data breach of any other service.
This feature can be enabled within Foldr Settings >> Services >> Pwned Passwords and more detailed information is available here in this dedicated blog post.
Delegated Password Reset
Allows trusted users or groups of users to reset nominated domain users passwords from the web app. This could be useful in an educational environment allowing teachers to securely reset student passwords or designated staff to assist with password reset without involving the IT help desk.
This feature is disabled by default. To enable this feature:
- Ensure the domain controller is configured to accept LDAPS connections on port 636 (Use LDP utility on the Windows DC)
- Configure the LDAP Server within Foldr Settings >> General >> LDAP >> LDAP Server to use the prefix ldaps://
- Enable Password Control within Foldr Settings >> Security >> Password Settings >> Delegated Password Control
- Ensure that the main service account set in Foldr Settings >> General >> LDAP has permission to reset users passwords in the OU(s) containing the user accounts involved
A new static password may be set by the trusted user using the delegated password reset feature and can optionally select the ‘must change password at next login’.
A dedicated setup article for delegated password control is available here
Self Service Password Reset
Allows users to securely change their own Active Directory password. A dedicated setup article for SSPR is available here