MFA für LDAP

Zuletzt aktualisiert am 30. Juli 2024

MFA für LDAP ist eine Möglichkeit, Ihre LDAP-Benutzer mit Multi-Faktor-Authentifizierung zu schützen, indem eine zusätzliche Schutzebene bei der Anwendungsanmeldung eingeführt wird. LDAP MFA verlangt von allen LDAP-Benutzern, dass sie mindestens zwei Authentifizierungsfaktoren angeben, wenn sie sich bei einer Anwendung anmelden. Der erste Faktor ist in der Regel ihr Passwort. Der zweite Faktor ist eine der zahlreichen sicheren Authentifizierungsmethoden. MFA für LDAP stoppt Hacker, die in den Besitz Ihres Kennworts kommen, und verwehrt ihnen den Zugriff auf Ihre Konten.

What is LDAP?

LDAP is a protocol you can use to read directory servers, such as Microsoft Active Directory or OpenLDAP, over a network. A Service Provider uses the LDAP protocol to communicate with an Identity Provider (such as Active Directory). The result of the communication is a successful or unsuccessful authentication of a user. You can add Multi-Factor Authentication (MFA) to the authentication process to introduce an additional security step to the authentication of your users.

LDAP Protocol vs. LDAP Server – Clarification

The LDAP protocol is a protocol used for reading and modifying directories. On the other hand, an LDAP server is any server you can use as a directory server, such as Active Directory, OpenLDAP, FreeIPA, OpenDS, and Apache Directory Server.

How to make the LDAP Protocol More Secure?

You can wrap the LDAP protocol in TLS/SSL. LDAP wrapped in TLS/SSL is called LDAPS.

However, if you want to improve the security of your users‘ logins, you have to think in terms of making the whole authentication process more secure. You can add an extra layer of protection to the default password-based authentication of your users to considerably improve their security and reduce the likelihood that their accounts will be compromised.

We call the extra layer of security a second factor. The authentication process that uses two or more factors (password is usually the first factor) is Multi-Factor Authentication (MFA).

But how does MFA work with LDAP?

How Does LDAP MFA Work?

There is no one set way in which MFA works with LDAP. Different security providers and MFA solutions can implement different protocols and technologies to make these integrations possible. Most solutions use open standards, but the way they work can still be slightly different. Let’s break down how a Multi-Factor Authentication (MFA) solution can work with the LDAP server and how and where it uses the LDAP protocol. We will be using Rublon Multi-Factor Authentication as an example.

Rublon MFA uses the LDAP protocol in many scenarios:

• Remote Desktop Services + Active Directory – You can configure Rublon to verify user login and password against Active Directory during the first step of MFA for your Remote Desktop Services logins.
• VPN + RADIUS + LDAP Server – You can configure the Rublon Authentication Proxy to verify user login and password against an LDAP server during the first step of MFA for your VPN logins
• SSO + SAML + LDAP Server – You can configure the Rublon Access Gateway to verify user login and password against an LDAP server during Single Sign-On (SSO) logins to cloud apps.

Remote Desktop Services + Active Directory

The following diagram portrays how Rublon MFA works with Active Directory as the Identity Provider (IdP) for RDP logins.

Note the following:

• The LDAP protocol is used in Step 2 of the following diagram.
• Rublon for RD Gateway, Rublon for RD Web, and Rublon for RD Web Client can similarly use Active Directory as the Identity Provider.

1. User opens Remote Desktop Connection and enters their username and password (1)
2. The Remote Desktop Session Host checks the login credentials against Active Directory (2)
3. If login credentials are correct, the Remote Desktop Session Host asks the Rublon Cloud to send a Mobile Push authentication request to the user’s phone (3)
4. Upon accepting the push, the user connects to the remote desktop (4)

VPN + RADIUS + LDAP

Rublon can protect your VPN connections with Multi-Factor Authentication (MFA) and accepts both RADIUS and LDAP servers (e.g., Active Directory) as IdP.

Refer to MFA for RADIUS for a detailed diagram.

SSO + SAML + LDAP

Rublon can protect your cloud applications and enable flexible Single Sign-On (SSO) using the SAML 2.0 algorithm. Both RADIUS and LDAP servers are supported.

Refer to MFA for SAML for a detailed diagram.

How Do I Enable LDAP MFA For My Users?

Enabling MFA for your LDAP users differs depending on the service you want to protect. Rublon Multi-Factor Authentication can protect your LDAP users logging in to Remote Desktop Services, VPNs, and cloud applications.

How to Enable LDAP MFA for Remote Desktop Services?

Rublon allows you to enable robust Multi-Factor Authentication (MFA) for your Active Directory users who log in to Remote Desktop Services such as RDP, Remote Desktop Gateway (RD Gateway), Remote Desktop Web Access (RD Web), and Remote Desktop Web Client (RD Web Client).

Enable MFA for Remote Desktop Services

How to Enable LDAP MFA for VPNs?

If you would like to enable Multi-Factor Authentication (MFA) on one or more of your VPNs, you can achieve that with the Rublon Authentication Proxy.

The Rublon Authentication Proxy supports LDAP servers (such as OpenLDAP and Active Directory) as identity providers.

Here’s a step-by-step guide:

1. Deploy and configure the Rublon Authentication Proxy to connect to your LDAP server.
2. Find the integration instructions in our documentation.
3. Follow the instructions and integrate your service with the Rublon Authentication Proxy.
4. Repeat steps 2 and 3 for any number of RADIUS-Compatible services you want.

Enable MFA for VPNs

How to Enable LDAP MFA for SSO and SAML Applications with an LDAP server as your identity provider?

Suppose you would like to have the following set-up:

• Multiple cloud apps configured for Single Sign-On (SSO)
• Multiple cloud apps protected with Multi-Factor Authentication (MFA)
• The login credentials for the first step of MFA verified against your LDAP server, such as Active Directory or OpenLDAP

Rublon can satisfy these requirements. Refer to MFA for SAML for more information, including a diagram and deployment instructions.

Enable MFA for SSO

Related Posts

• MFA for Active Directory
• MFA for SAML
• MFA for RADIUS