Educause Security Discussion mailing list archives

Re: Authentication in LDAP

From: Jim Bollinger <JBollinger () WLU EDU>
Date: Wed, 24 Aug 2005 10:45:12 -0400

Security considerations aside, we have found that there are cases where
(although an ID is fine with LDAP) the systems linked to it can't handle
it. For instance, if one of your dependent systems can only handle 8
character usernames and you try to login as geoffnathan, it probably
won't work. We've also run into this with how systems interpret certain
characters versus how LDAP interprets them.

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

geoffnathan () WAYNE EDU 08/24/05 10:32 AM >>>

Apologies if this is a trivial question, but I've been banging my head
against this issue and am unable to settle it in my mind.
Here at Wayne State all users are issued a unique AccessID, an
arbitrary alphanumeric code of the form XX1234.  Whenever they access
their e-mail, log in to our Portal or to Blackboard (or any of several
other services) they enter their access ID and a password.
Authentication is handled centrally by an LDAP appliance.
Through the webmail client we supply users have the option of choosing
an alias that is personalized (mine, for example, is at the bottom of
this message).
Recently the administrator of the LDAP machine enabled alternate logins
(on everything) using the personalized ID instead of the 'license
plate'-style ID.  This was done without discussion of possible policy
issues, and I've been wracking my brains trying to think of any security
problems that this change raises.  I can't think of any, but I thought
I'd ask this group if there is any reason people should not be able to
authenticate either as

an6993
or as
geoffnathan

Thanks in advance for any suggestions.

Geoff Nathan
Geoffrey S. Nathan <geoffnathan () wayne edu>
Security Policy Coordinator, Computing and Information Technology,
        and Associate Professor of English
Linguistics Program                       Phone Numbers
Department of English                     Computing and Information
Technology:  (313) 577-1259
Wayne State University                    Linguistics (English):  (313)
577-8621
Detroit, MI, 48202                        C&IT Fax: (313) 577-1338

Current thread:

Authentication in LDAP Geoff Nathan (Aug 24)
- <Possible follow-ups>
- Re: Authentication in LDAP Jim Bollinger (Aug 24)
- Re: Authentication in LDAP Scholz, Greg (Aug 24)
- Re: Authentication in LDAP James H Moore (Sep 12)