Understanding passwords with LDAP-based security

Enterprise Server integrates with LDAP servers to provide security using the MLDAP ESM Module, one of the available External Security Manager (ESM) modules for the External Security Feature (ESF). There are a number of ways that password-based authentication can be implemented using LDAP.

When the MLDAP ESM Module provides user authentication for Enterprise Server, it must verify the userid and password (sometimes referred to as credentials) supplied to ESF by an Enterprise Server component, and ultimately by the user. The module supports a variety of authentication processes, depending on its configuration.

Mode

Authentication in the MLDAP ESM Module is performed in one of two main ways:

By checking the password against a verifier within the module itself.

Or:

By binding to the LDAP server using the supplied credentials.

The setting "mode" in the "[Verify]" section specified in the Configuration Information field determines which method is used. With the setting mode=MF-hash (the default), the module will retrieve the verifier from the LDAP repository and check it against the password, while the setting mode=bind instructs it to use the binding method.

Note: A security manager can only operate in one of the two modes. If the ESF configuration includes multiple security managers using the MLDAP ESM Module, they can use different modes.

In the MF-hash mode, each user object in the LDAP repository holds a password verifier string for that user. Typically, this is a salted cryptographic hash of the user's password. The module retrieves the verifier for the named user from the repository, computes a hash of the same type from the supplied password and the same salt as used in the verifier, and compares the result with the verifier. If they match, the password is correct.

Bind mode, on the other hand, asks the LDAP server to validate the user's credentials. An LDAP bind operation is equivalent to signing on to the LDAP server. The module makes a bind request using the supplied userid and password, and its success indicates the credentials were accepted by the LDAP server.

LDAP servers can delegate authentication to other systems. This is transparent to the MLDAP ESM Module.

Bind-mode verification is often useful where LDAP-server authentication is integrated into identity systems, or where the LDAP server is already used to authenticate users, and you would like to use existing user accounts and credentials as Enterprise Server users. However, this has certain disadvantages. As more processing is involved, Enterprise Server signons might be slower with bind-mode verification. Diagnostics are limited; the MLDAP ESM Module will often not be able to distinguish among different types of authentication failures (incorrect password, account locked out, and so on). And changing passwords is more complex and more likely to fail. See Changing passwords with the MLDAP ESM Module for more information.

Password-verifier types

The MLDAP ESM Module supports various types of password verifiers. Some of these are generated and processed by the module itself, in MF-hash mode. Others are created by or for the LDAP server when performing a password change in bind mode, and are processed (for authentication) by the LDAP server or some authentication system it uses.

It is not an error to configure a password-setting mode which does not correspond to the authentication mode, such as password type "AD" with MF-hash mode or password type "MF-A2" with bind mode. Nor is it an error to configure a password type which is not normally supported by the LDAP server, such as AD type with an OpenLDAP server. But such combinations generally are not useful. The administrator should ensure that the combination of authentication mode and password type are prudent.

Note: The password type only applies when a user requests a password change. When authenticating user credentials, the type of the existing password verifier is determined automatically.

Internal verifier types (MF-hash mode)

The verifiers supported by the module in MF-hash mode are prefixed with a scheme name and a colon, followed by data, which can include parameters (such as salt) in addition to the verifier data proper.

The supported schemes include:

literal:: This scheme's data is the verbatim password. It is typically used for testing and should be avoided in production systems, since anyone with read access to the user object in the LDAP repository can trivially recover the password.
MF-MD5:: A salted MD5 hash. This was the default verifier type in older product versions. It is now deprecated, due to the ease of brute-forcing MD5 hashes of short passwords.
MF-A2:: A salted Argon2 hash. Argon2 is a strong (storage-expensive) password-hash algorithm which resists brute-force attacks. This is the default verifier type for more recent product versions.
MF-MD5A2:: An Argon2 hash of a MF-MD5 verifier. This type exists to ease migration from MF-MD5 verifiers to Argon2 verifiers.

In MF-hash mode the password verifier is held in the microfocus-MFDS-User-Pwd attribute. Because each verifier specifies its type, different users can have verifiers of different types.

External verifier types (bind mode)

In bind mode, the actual verifier used by the LDAP server (or external identity system) is outside the scope of the MLDAP ESM Module. However, LDAP servers offer various mechanisms for setting passwords, and these are also treated as "password types" by the module. In some cases this "password type" can determine what type of verifier is stored by the LDAP server.

The supported mechanisms for setting passwords in LDAP servers are:

AD:: This uses Microsoft's password-change mechanism for Active Directory and AD LDS. It involves sending a special LDAP message which causes AD to validate the request and perform a Windows local or domain password change, as appropriate, if the account represents a Windows user, or update the user object's password if it does not. See Changing passwords with the MLDAP ESM Module for more information.
MD5:: This mechanism follows the format defined in RFC 2307 to set a password verifier as an MD5 hash. Micro Focus recommends that you do not use this type of verifier for production environments.
SSHA512:: This is another RFC 2307 password-change type which uses a salted SHA-512 hash.
Plain:: The RFC 2307 password attribute is updated with the verbatim new password. Normally this would be insecure, but some servers can be configured to process this update specially by generating a strong hash with the supplied data.

Password constraints

The MLDAP ESM Module can be configured to apply various constraints on new passwords when a password change is requested. These include minimum and maximum length, character sets (alphabetic, numeric, and so forth) and complexity, and password history. The password-history constraint relies on the module being able to save hashes of old passwords in the user object in LDAP, which is not always possible, depending on the LDAP server and security manager configurations.

These constraints are applied before attempting to change the password and apply to both authentication modes (MF-hash and bind) and all password types.

When an external password type is configured, the LDAP server can apply its own constraints. For example, with the AD password type, Active Directory will enforce all password constraints configured for the domain, such as complexity and password history.

LDAP servers or other security systems can impose other constraints beyond those configured by the administrator. For example, Active Directory usually only allows one password change every 24 hours for a given account.

Configuration options

There are various configuration options for the MLDAP ESM Module which affect password validation and password changes.

[Passwords] section

Password-related options in the [Passwords] section include:

expiration: Sets the expiration interval for new passwords. Only applies in MF-hash mode.
bind failure analysis: Attempts to determine the most probable reason why a bind was rejected, and sets the return codes accordingly so applications can take the required action.
Note: This only applies in bind mode.
expiration-check: A historical alias for bind failure analysis.
history: Enables password history and sets the number of password hashes to store. A new password which matches a stored password is rejected.
minimum length and maximum length: Constraints on the length of a new password.
required and complexity: Constraints on the complexity of a password.

[Verify] section

Password-related options in the [Verify] section include:

mode: Sets the authentication mode (MF-hash or bind).
password type: Sets the mechanism to use when changing passwords, and in some cases the type of verifier generated.
attempt password change: Affects the order of password-change processing in bind mode. See Changing passwords with the MLDAP ESM Module for more information.
password change failure: If a password change is requested but fails, this controls whether the sign-on request can still succeed or will be denied.
password attribute: Overrides the default attribute used for the password verifier.
migrate passwords: An optional feature when attempting to migrate from MF-MD5 to MF-A2 verifiers as users sign on to Enterprise Server. Only applies in MF-hash mode.

See MLDAP ESM Module Custom Configuration Information for more information.