We are building a web application that connects to a database and does data visualization. It will probably have around 300 users. We will deploy it with docker.
To increase security, we want to use an openLDAP server that stores user credentials for us. The rationale is, that it is a tried and tested piece of software that is more secure than anything we would code ourselves and we would not have to bother with hashing algorithms, salts, etc. Also, we could assign roles directly in LDAP.
We are thinking about the following architecture (we have to use one single server):
- One docker container with web app
- One docker container running the database
- One docker container running the openLDAP server
My question:
- is openLDAP (or LDAP in general) suitable for that, or is there another solution that would encapsulate authentication in a tried and tested package? (given that LDAP is primarily built for high concurrent loads, which we do not expect)?
- Would using docker, and hence encapsulating the service, increase security in general (assuming proper implementation)?
Thanks a lot!
Yes, OpenLDAP - and LDAP in general - is suitable for username/password authentication, and you get standard password hashing and password policy enforcement in the same package. Most of these LDAP features are standardized at IETF, so that you can expect the same from all good LDAP server products, including and especially OpenLDAP.
Main references:
Authentication: RFC 4513. Also OpenLDAP-specific info;
Password storage, password hashing: RFC 2307 and draft-stroeder-hashed-userpassword-values. Also OpenLDAP-specific info;
Password policies: draft-behera-ldap-password-policy. Also OpenLDAP-specific info.
Using Docker or other kinds of containers (e.g. LXC) is always a good thing from a security standpoint as it provides a form of isolation of a container (therefore applications running inside) from the others and from the host by default. Yet, it very much depends on your configuration and environment, there are many ways to loosen container isolation (e.g. enabling certain capabilities, mounting shared volumes, etc.). The Docker daemon in particular must be properly secured, since it is the one process that has and needs general privileged access to do all its powerful deeds. Docker security can be furthered improved by combining Docker native security features with Kernel security features, e.g. SELinux, AppArmor, grsec, etc. More info on Docker Security.