DS 7.1.7

Client Best Practices

Encourage best practices for directory clients that you control and influence.

Handle Input Securely

When taking input directly from a user or another program, handle the input securely by using appropriate methods to sanitize the data. Failure to sanitize the input data can leave your client vulnerable to injection attacks.

For example, the DS Java APIs have Filter.format() and DN.format() methods. Like the Java String.format() methods, these escape input objects when formatting output.

When writing command-line or HTTP clients, make sure you sanitize the input.

Use Secure Connections

Use secure connections except when reading public information anonymously. Always use secure connections when sending credentials for authentication, and when reading or writing any data that is not public.

For LDAP clients, either connect to the directory server’s LDAPS port, or begin each session with the StartTLS extended operation on the insecure LDAP port.

For HTTP clients, use HTTPS.

Authenticate Appropriately

Unless your client only reads public information, authenticate to the directory server.

Use an account that is specific to your client when authenticating. This helps avoid risks involved in sharing credentials between accounts. Furthermore, it makes debugging easier because your client’s actions are associated with its account.

Avoid username/password credentials for clients, by certificate-based authentication. For details, see Certificate-Based Authentication.

Consider OAuth 2.0

DS servers support OAuth 2.0 for HTTP authorization. This lets the HTTP client access directory data without having a directory account. The directory acts as an OAuth 2.0 resource server, as described in Configure HTTP Authorization.

An OAuth 2.0 client gets authorization from the resource owner, such as the user, device, or thing whose account it needs to access, and presents the OAuth 2.0 bearer access token to get access to the account. Access tokens give the bearer access, regardless of the bearer’s identity.

Send access tokens only over secure HTTPS connections to prevent eavesdroppers from stealing the token.

Consider Proxied Authorization

DS servers support LDAP proxied authorization control. With proxied authorization, an LDAP client binds to the directory using its own account, and sends requests with the user authorization ID in the control. For details, see Proxied Authorization.

When the user is already safely authenticated by other means, proxied authorization makes it easy to reuse a connection that is dedicated and bound to the client.

Apply Resource Limits

LDAP clients can set time limits and size limits on search requests. Setting limits is appropriate when searches are partially or fully determined by user input.

You can use the DS Java APIs methods SearchRequest.setSizeLimit() and SearchRequest.setTimeLimit() for this purpose.

The Directory Services ldapsearch command has --sizeLimit and --timeLimit options.

Copyright © 2010-2023 ForgeRock, all rights reserved.