Multifactor authentication through LDAP integration.

If there is an integrated LDAP, does that mean that multifactor authentication automatically goes through that integrated LDAP?  I suspect the answer is it depends.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Indeed LDAP authentication may be one of the multifactor checks since LDAP is like the yellow book for keeping updated user directory store centrally. All the user credential info including the pub cert, etc can reside there. It is a lookup up store as far as I see it plainly.

So any sort of multi facet scheme for client or user authentication - be it to search through the LDAP store, do a sync up with token server for federated identity login - we tends to need an intermediary or proxy that does this multifactor checks. The proxy does the check on behalf, or shields off the backend authentication process check against the identity store.

This is how I viewed Multifactor authentication as compared to what most termed as checking password, biometric and device. These are more pertaining to user information which the identity may contain and checked against. Not so sure LDAP can store those info but taking the passport check as an example, the user information has the fingerprint minutia and user info (including photo and passport details) used to check against backend - if LDAP has those it can be authentication. Pardon as I digress..

As a whole, the proxy is required for multi-factor authentication and can be integrated with LDAP check though LDAP may serves as multi-factor user store. So for such proxy, it may be likely in a form of

A_ a service based instance (or sw server)  include Azure MFA which can cater to LDAP auth (while it can also do more with OATH, RADIUS, Windows Auth etc

B_ an appliance hw that proxy btw multiple scheme like kerberos, LDAP etc like this instance
... or even application delivery controller (ADC) such as F5 APM and Citrix Access Gateway ...

Hope I have not missed out your point

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
Basicly LDAP is only a database with data about items.
Items can be useraccounts, with passwords as attribute.
LDAP defines a way to query this database for items and how items are described in attributes.

Now various frontends can query this database and determine what info they expect from a user.

Multifactor authentication mostly is about having more then one way to query a user form something in possesion (calculator, token, chipcard), knowledge (password, passphrase).  The multiple ways MUST be independent.  Querying a user coming from a mobile-phone browser to enter a number received by SMS is still ONE factor, even if earlier on a password was required. (It is still the same equipment in use). When accessing a website though a PC and then using an SMS login is a two-factor authentication.

For Your Q: if the LDAP database provides the info needed for the password it can be used for password queries. If the database also holds the Phone number, an SMS can be send.
The Webservice/Proxy/Accesspoint is required to handle the requirements.. ask for a password, send a SMS and request the input etc.
btanExec ConsultantCommented:
I only see uses of LDAP for Centralised Data population and Authentication for identity consistency across systems. The integrated LDAP will depends on your use case where by policy enforcement and transactions across end user or systems will not be directly to LDAP - but arbitrated by the intermediary. Of course LDAP can have some form of authentication inherently to allow authorized connection to it but to the extent of LDAP support multifactor will be via different Directory Services providers e.g.

OpenLDAP Integration
Apache Directory Server Integration
Novell eDirectory Integration
Oracle Internet Directory Integration
Apple Open Directory Integration

I see a common provision on top of multifactor auth consideration to also using integrated LDAP for Single Sign On, User and Groups setup, Schema mapping/customization (LDAP schema attribute mapping for user's profile fields) and Read-Only integration (securing directory access and maintain integrity).
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

awakeningsAuthor Commented:
So lets assume we are talking about AD - being integrated with  with Open LDAP.  Would the  AD point of origin that has multifactor authentication ever translate over and through the LDAP integration to include the multifactor authentication?
nociSoftware EngineerCommented:
like before LDAP (even AD) is just a database.

The authentication challenge is done by a router/network access point by using RADIUS queries.
then you need a RADIUS server that can query LDAP ...
A web proxy that makes a the 401 challenge, and then needs to verify the information using the database.
To make the web proxy 2-factor..., it should f.e. ask for a password, and cause an SMS to be sent to a phone
and that password needs to be used in stead of the password. Except when the client is accessing from a mobile phone.
Then you need something else.

So the LDAP (AD too) is just a (albeit flexible) database with a standard query format.
you need something ELSE to implement the challenge & response mechanism.
The proxy will need to be able to ask the LDAP database for a password, and phone number to be able to send an SMS.
btanExec ConsultantCommented:
you should be able to use OpenLDAP’s proxy service to allow LDAP operations to cross the boundaries between AD and OpenLDAP deployments. E.g. Access Active Directory (AD) Schema via OpenLDAP. Mainly via the slapd-ldap configuration to slapd.conf for the running of ldapsearch.
So with such "pass through", the MFA should rightfully be the same but maybe better to have it already supporting both store like SureID
Rich RumbleSecurity SamuraiCommented:
Remember there are different types of access, 2-factor typically sits on your perimeter, or at "logon screen" level. VPN, OWA and login screen are the places you find 2-factor. You do not get 2-factor at the network level, \\server_name\share_name has no two factor, FTP:// has no two factor. 2-factor is typically only helping secure your access from outside to in, which is great and should be done, but don't forget that an attacker can piggyback a valid user's access. I cover it more here:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.