Title: RE: [ActiveDir] LDAP export pros/cons
In our case, it's a PeopleSoft portal that is using AD as
the authentication provider via the LDAP bind. My logon IDs match in PeopleSoft
and AD, so that's how PS correlates a successful AD bind to a PS user. No
argument that using LDAP as an authentication method isn't nearly as secure as
kerberos, but we sufficiently trust our in-house PeopleSoft folks to not get
ulcers over the setup, along with some other technical and policy measures to
reduce our risk exposure.
There are other groups in our organization with whom we
would not do something like this. Those groups probably don't trust us either
:-)
Hunter
Interesting. I may just not understand what you have in
mind.
I would agree, but I'm leery of ldap bind for
authentication in this scenario. In addition, it seems that it would not
really provide the full amount of usefulness to the solution since the user has
to also remember a different set of creds if they use this portal with dual
id. Am I just misunderstanding, or were you thinking of something
different??
Al
Here's a common scenario, where an application like the web
portal outsources authentication to an external directory but retains
authorization....your user hits the web portal and gets a prompt for her login
ID and password. She enters that information and hits the OK button, and your
portal then attempts to do an authenticated bind to the user's object in the
LDAP directory, using the submitted ID and password. If the bind is successful,
then the LDAP directory returns a successful acknowledgement to the portal. The
portal hears that the user ID and password are correct, so the portal can
then present the user with the appropriate content based on the portal
permissions assigned to her account.
The key here is that there has to be a common identifier in
the portal and LDAP directory, so that the user gets the right stuff (based on
the authorization in the portal) as a result of successful LDAP "login" (based
on the LDAP authentication). Typically the common identifier is the logon ID, so
that the portal knows that a successful LDAP bind to jane.doe should be
associated with the jane.doe object in the portal.
It would be a good idea to ask what specific attributes the
portal is looking for, or even the syntax of the LDAP queries they hope to
issue.
Hunter
I understand what you are saying and agree. On the
same topic, what do you suggest is the best practice for having users
authenticate to a third party web portal. Is it better to set up a one-way
non-transitive trust between the two forests or domains, or go with an ldap
export assuming this is going to be a long term solution. The only
thing we are trying to do is to allow our users to log into the third party web
portal without having to learn an additional user name &
password. I do not want to give out any more information than that about
my users.
Thanks for the quick responses.
R-
not sure there are any documented risks. Risks being
relational to the entity taking them.
However, as a disinterested third party I'd have to point
out that the risk is not technical in nature but rather about the information
you're sharing. I suppose the information you give out is far mare
important to the conversation, but it seems you don't know these folks nor trust
them really. If that's the case, then it's possible you could be giving
out the account information to a non-trusted source.
The questions you need to ask are "what can they do with
the information I provide and can I take any action to protect
myself?"
Some folks wouldn't have a problem giving out that
information. Others would. You'll need to assess that risk based on
the information you plan to give out.
Email addresses are a unique identifier by the way.
And usually public knowledge.
That's correct. Looking
for risks associated ....
From: [EMAIL PROTECTED] on
behalf of Mulnick, Al
Sent: Thu 1/20/2005 2:05 PM
To:
'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] LDAP export
pros/cons
Are you looking for risks associated with giving your directory
away to a
semi-trusted third party? Did I paraphrase that
correctly?
Al
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Robert N. Leali
Sent: Thursday, January 20, 2005 3:01 PM
To:
ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP export
pros/cons
Can someone point me to a white paper or article that gives the
pros and
cons and security implications of allowing a semi-trusted
third-party to
access our AD with an LDAP export to an RSA server?
We
are being asked to allow our users to authenticate to a third party
web
portal using their current Windows 2003 AD accounts. The third
party wants
an LDAP export to their RSA server and an account that has
appropriate
access to allow authentication to the AD box. This is in an
extra-net
environment.
Any guidance or advice would be
appreciated.
Robert
----
The information contained in this e-mail
transmittal, including any attached
document(s) is confidential. The
information is intended only for the use of
the named recipient. If you are
not the named recipient, you are hereby
notified that any use, disclosure,
copying, or distribution of the contents
hereof is strictly
prohibited.
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/