LDAPS Benefits & Password Features

Posted on 7th December 2016

LDAPS – Security & Enables Additional Features

By enabling LDAPS on an Active Directory Domain Controller, Foldr can be configured to authenticate users securely over SSL port 636.  Along with the security benefits that this brings, additional password management features are also then available within Foldr:

  • Password Control
  • Delegated Password Control
  • Self Service Password Reset

Enabling LDAPS on the Domain Controller is beyond the scope of this KB article, however the following links provide useful information regarding the two common methods of activating this feature:

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc

 

Password Control

Allows users to change their own Active Directory password from within Foldr itself using the web interface or the iOS or Android apps.  Likewise, if the users password has expired or is set to change at next logon then they will be prompted to change the password when the sign into any of the Foldr apps (web, mobile or desktop)

To enable the feature:

  1.  Ensure the domain controller is configured to accept LDAPS connections on port 636 (Use LDP utility on the Windows DC)
  2.  Configure the LDAP Server within Foldr Settings >> General >> LDAP Server to use the prefix ldaps:// 
  3.  Enable Password Control within Foldr Settings >> Security >> Password Settings

password5

In addition to password reset, Foldr will handle password expiration gracefully and respects complexity required set by an organisation’s password policy.  In the event of a password expiring, the user will be prompted to change their password from the Foldr interface (web, iOS or Android)

Enforcing the use of strong passwords

Foldr will respect any password policies set on the domain in Active Directory, however the Foldr administrator can also apply password policies in Foldr to affect both domain and local accounts on the appliance itself. To configure a password policy in Foldr, navigate to Foldr Settings >> Security >> Password Policies.  Policies can be set to apply to all users or specific groups or individual accounts as required.

Pwned Passwords

By integrating with a third party service, Foldr is able to prevent users from choosing weak passwords when they change their password through any of the Foldr apps.  A weak password is considered to be one that has has previously been exposed in a data breach of any other service.

This feature can be enabled within Foldr Settings >> Services >> Pwned Passwords and more detailed information is available here in this dedicated blog post.

Delegated Password Reset

Allows trusted users or groups of users to reset nominated domain users passwords from the web app.  This could be useful in an educational environment allowing teachers to securely reset student passwords or designated staff to assist with password reset without involving the IT help desk.

This feature is disabled by default.  To enable this feature:

  1.  Ensure the domain controller is configured to accept LDAPS connections on port 636 (Use LDP utility on the Windows DC)
  2.  Configure the LDAP Server within Foldr Settings >> General >> LDAP >> LDAP Server to use the prefix ldaps://
  3.  Enable Password Control within Foldr Settings >> Security >> Password Settings >> Delegated Password Control
  4. Ensure that the main service account set in Foldr Settings >> General >> LDAP has permission to reset users passwords in the OU(s) containing the user accounts involved

A new static password may be set by the trusted user using the delegated password reset feature and can optionally select the ‘must change password at next login’.

password2

A dedicated setup article for delegated password control is available here

Self Service Password Reset

Allows users to securely change their own Active Directory password.  A dedicated setup article for SSPR is available here

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, support@foldr.io