Json2Ldap security checklist

This is an eight point security checklist for putting an instance of Json2Ldap in production.

  1. Ensure web clients are required to use HTTPS with Json2Ldap unless directory access is intended to be public and user authentication is not required.

  2. Ensure all write requests are denied if web clients need only read directory data.

  3. Ensure sensible connection limits per web client IP and directory user are set.

  4. Ensure all LDAP connections from Json2Ldap to the directory servers are required to use TLS/SSL unless such protection is not required (e.g. the backend connections run over a private network).

  5. Ensure the white list of permitted LDAP servers for connection from Json2Ldap is correctly set. If only a single directory server is going to be accessed, make this the default one (see next point) and leave the white list empty.

  6. If you have a single LDAP directory server, ensure it is set as the default one so its host details need not to be exposed to web clients and they connect to it just by knowing the Json2Ldap URL.

  7. Ensure the origin allow list is correctly set if Json2Ldap is going to serve cross-domain (CORS) requests.

  8. Ensure logging is turned on at the appropriate level.

These and a number of other Json2Ldap policy settings are explained in the configuration manual.

Questions? Contact Connect2id support.