LDAPS – Security & Enables Additional Features
By enabling LDAPS on an Active Directory Domain Controller, Foldr can be configured to authenticate users securely over LDAP using SSL port 636. Along with the security benefits that this brings, additional password features are also then available within Foldr:
Enabling LDAPS on a Windows domain controller is typically done by default after installing the Domain Certificate Services >> Enterprise CA role in Server Manager. However, there are considerations to be made when enabling this in your AD infrastructure. It can also be achieved by installing signed certificates obtained via a recognised certificate authority:
Allows users to change their own Active Directory password from within Foldr itself using the web interface or the iOS or Android apps. Likewise, if the users password has expired or is set to change at next logon then they will be prompted to change the password when the sign into any of the Foldr apps (web, mobile or desktop)
To enable the feature:
In addition to password change, Foldr will handle password expiration gracefully and will respects password policies/complexity set on the domain. In the event of a password expiring, the user will be prompted to change their password from the Foldr interface (web, desktop or mobile apps)
Foldr will respect any password policies set on the domain in Active Directory, however, the Foldr administrator can also apply password policies in Foldr to affect both domain and local accounts on the appliance itself. To configure a password policy in Foldr, navigate to Foldr Settings >> Security >> Password Policies. Policies can be set to apply to all users or specific groups or individual accounts as required.
By integrating with a third-party service, Foldr is able to prevent users from choosing weak passwords when they change their passwords through any of the Foldr apps. A weak password is considered to be one that has previously been exposed in a data breach of another other service.
This feature can be enabled within Foldr Settings >> Integrations>> Pwned Passwords and more detailed information is available here in this dedicated blog post.
Password hashes are checked against the haveibeenpwned.com service when using password reset, delegated reset and self-service reset.
Allows trusted users or groups of users to reset nominated domain users passwords from the web app. This could be useful in an educational environment allowing teachers to securely reset student passwords or designated staff to assist with password reset without involving the IT help desk.
This feature is disabled by default. To enable this feature:
A new static password may be set by the trusted user using the delegated password reset feature and can optionally select the ‘must change password at next login’ and ‘unlock account’.
A dedicated setup article for delegated password reset/password control is available here
Allows users to securely change their own Active Directory password. A dedicated setup article for SSPR is available here
Get in touch and we'll be happy to assist you, [email protected]
© Minnow IT. Registered in England and Wales with company number 07970411.
Made with in Bristol, UK