Educause Security Discussion mailing list archives
Re: Authentication in LDAP
From: James H Moore <jhmfa () RIT EDU>
Date: Mon, 12 Sep 2005 15:58:23 -0400
There could be some security issues. Some of them have been touched on. First, the issue of legacy systems and truncation. If you are geoffnathan, and I am geoffnat then who wins the race at the OpenVMS computer that supports food service account where login names are truncated to 8 characters? (hypothetical example, I hope) See also the comment later about maintaining a history of vanity names Second, people have been known to lookup to see who does not use the vanity logins, like people who have been at the university a long time, e.g. the president, VP of business, VP of Alumni Affairs, the department chairs of most departments, ... For example Herman Hacker, chooses the vanity name of AlEinstein which is similar to the name of the Chairman of the Chemistry department. Herman logs in as AlEinstein. The logs probably show AlEinstein logged in, just before the Chemistry department web server was defaced, or the hours were entered for student employees. Will someone bother to really look up who AlEinstein is, especially if Al Einstein is a distinguished professor, university fixture, and department chair? Or will they conclude that it was a zero-day attack on a fully patched system? Will the LDAP maintainer, maintain transaction logs so that Herman Hacker can not just register AlEinstein one day, do some dirty work, and then change it back to HermanHacker the next. Just some thinking off of the top of my head. Jim _____ From: Scholz, Greg [mailto:gscholz () KEENE EDU] Sent: Wednesday, August 24, 2005 11:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Authentication in LDAP I do not feel there is an inherent security issue with this. I know others disagree though based on the idea that it will now be much easier for brute force attacks because half of the login is now known (i.e. a list of campus personnel will yield a pretty accurate list of usernames so they would only have to go after passwords.) My bigger concern would be that you implemented the unique AccessID for a reason. It follows a standard and you could always go back to that as a standard when troubleshooting. Uniqueness can also be virtually guaranteed for the life of the system not just the user. Although the aliases must obviously be unique also, over time you may find the user community gets used to their "vanity plate" and forgets the other. Do you allow these "vanity plates" to ever be reused? Not being entirely familiar with the intricacies of LDAP and your implementation could this lead to inaccuracies in logging. (e.g. this year jsmith12 is XX1234, but next year jsmith12 is xx5678) so you could have difficulty mapping events to the correct user over time? Could rights management be more difficult? I am gscholz and I need access X, but I do not know my AccessID so you now have to lookup my AccessID to ensure you assign the correct rights to the right AccessID. And again, what if gscholz is ever reused? Could a mistake in rights assignment happen? We attempt to ensure uniqueness forever but not using the license plate style. I would personally prefer the license plate style but whichever way, uniqueness over some period of time should be the focus so that rights, events, assignments, etc can be properly controlled. Just my .02 _________________________ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 _____ From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] Sent: Wednesday, August 24, 2005 10:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Authentication in LDAP Apologies if this is a trivial question, but I've been banging my head against this issue and am unable to settle it in my mind. Here at Wayne State all users are issued a unique AccessID, an arbitrary alphanumeric code of the form XX1234. Whenever they access their e-mail, log in to our Portal or to Blackboard (or any of several other services) they enter their access ID and a password. Authentication is handled centrally by an LDAP appliance. Through the webmail client we supply users have the option of choosing an alias that is personalized (mine, for example, is at the bottom of this message). Recently the administrator of the LDAP machine enabled alternate logins (on everything) using the personalized ID instead of the 'license plate'-style ID. This was done without discussion of possible policy issues, and I've been wracking my brains trying to think of any security problems that this change raises. I can't think of any, but I thought I'd ask this group if there is any reason people should not be able to authenticate either as an6993 or as geoffnathan Thanks in advance for any suggestions. Geoff Nathan Geoffrey S. Nathan <geoffnathan () wayne edu> Security Policy Coordinator, Computing and Information Technology, and Associate Professor of English Linguistics Program Phone Numbers Department of English Computing and Information Technology: (313) 577-1259 Wayne State University Linguistics (English): (313) 577-8621 Detroit, MI, 48202 C&IT Fax: (313) 577-1338 - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) ""In the middle of difficulty lies opportunity." Albert Einstein "The release of new internet threats have not created a new problem. It has merely made more urgent the necessity of solving an existing one." Parallels quote by Albert Einstein on atomic energy
Current thread:
- Authentication in LDAP Geoff Nathan (Aug 24)
- <Possible follow-ups>
- Re: Authentication in LDAP Jim Bollinger (Aug 24)
- Re: Authentication in LDAP Scholz, Greg (Aug 24)
- Re: Authentication in LDAP James H Moore (Sep 12)