Re: Authentication in LDAP

["Scholz, Greg" <gscholz () KEENE EDU>]

I do not feel there is an inherent security issue with this.  I know
others disagree though based on the idea that it will now be much easier
for brute force attacks because half of the login is now known (i.e. a
list of campus personnel will yield a pretty accurate list of usernames
so they would only have to go after passwords.)

 

My bigger concern would be that you implemented the unique AccessID for
a reason.  It follows a standard and you could always go back to that as
a standard when troubleshooting.  Uniqueness can also be virtually
guaranteed for the life of the system not just the user. Although the
aliases must obviously be unique also, over time you may find the user
community gets used to their "vanity plate" and forgets the other. Do
you allow these "vanity plates" to ever be reused? Not being entirely
familiar with the intricacies of LDAP and your implementation could this
lead to inaccuracies in logging.  (e.g. this year jsmith12 is XX1234,
but next year jsmith12 is xx5678) so you could have difficulty mapping
events to the correct user over time?

 

Could rights management be more difficult?  I am gscholz and I need
access X, but I do not know my AccessID so you now have to lookup my
AccessID to ensure you assign the correct rights to the right AccessID.
And again, what if gscholz is ever reused? Could a mistake in rights
assignment happen?

 

We attempt to ensure uniqueness forever but not using the license plate
style. I would personally prefer the license plate style but whichever
way, uniqueness over some period of time should be the focus so that
rights, events, assignments, etc can be properly controlled.

 

Just my .02

 

_________________________

Thank you,

Gregory R. Scholz

Lead Network Engineer

Information Technology Group

Keene State College

(603)358-2070

 

  _____  

From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] 
Sent: Wednesday, August 24, 2005 10:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Authentication in LDAP

 

Apologies if this is a trivial question, but I've been banging my head
against this issue and am unable to settle it in my mind.
Here at Wayne State all users are issued a unique AccessID, an arbitrary
alphanumeric code of the form XX1234.  Whenever they access their
e-mail, log in to our Portal or to Blackboard (or any of several other
services) they enter their access ID and a password.  Authentication is
handled centrally by an LDAP appliance.
Through the webmail client we supply users have the option of choosing
an alias that is personalized (mine, for example, is at the bottom of
this message).
Recently the administrator of the LDAP machine enabled alternate logins
(on everything) using the personalized ID instead of the 'license
plate'-style ID.  This was done without discussion of possible policy
issues, and I've been wracking my brains trying to think of any security
problems that this change raises.  I can't think of any, but I thought
I'd ask this group if there is any reason people should not be able to
authenticate either as

an6993
or as
geoffnathan

Thanks in advance for any suggestions.

Geoff Nathan


Geoffrey S. Nathan <geoffnathan () wayne edu>
Security Policy Coordinator, Computing and Information Technology,
        and Associate Professor of English
Linguistics Program                       Phone Numbers
Department of English                     Computing and Information
Technology:  (313) 577-1259
Wayne State University                    Linguistics (English):  (313)
577-8621
Detroit, MI, 48202                        C&IT Fax: (313) 577-1338