Do you need to set password complexity for LDAP resources? Chances are, your organization is concerned with the threat of identity breach, so upping user password complexity requirements makes a great deal of sense. Although it’s certainly possible to configure password complexity settings with LDAP, it’s not as straightforward as one might think.
Password Complexity in LDAP Implementations
Historically, the two most popular implementations of LDAP have been OpenLDAP™, the open-source hub for LDAP, and Microsoft® Active Directory®, the Windows®-centric commercial directory service. When it comes to setting password complexity between the two, the approach is varied.
For OpenLDAP, password complexity is set at the user account level. As you can imagine, as an open source protocol and open source server implementation, there are a wide range of configurable password complexity options. IT admins can generally use commands in OpenLDAP to adjust how complex their organization’s passwords are. The most popular repository of commands was the draft-behera-ldap-password-policy until it became defunct upon its expiry in 2010.
Although OpenLDAP is capable of high configurability, with greater flexibility often comes greater configuration and management. This is true of the notoriously technical OpenLDAP in general, and their password complexity features are no different.
Active Directory (AD) is not technically a dedicated LDAP instance like OpenLDAP, but the directory service itself can leverage the protocol, allowing users to authenticate to LDAP resources using their AD identities. Password complexity in AD is usually managed in one of two ways.
The first method is via the Windows Default Password Policy. This inherent feature in Windows offerings uses fairly industry-standard conventions for password complexity. The two core requirements are that the password cannot match the username and the password must include three different character types, including upper and lower case letters, numbers, special characters, etc. This policy is applied to users through a Group Policy Object (GPO).
The second method is through a Fine Grained Password Policy (FGPP). An FGPP is a configurable requirement that is acted directly on the user or object. As such, admins can adjust (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at: https://jumpcloud.com/blog/ldap-password-complexity/