Re: Authentication in LDAP

[James H Moore <jhmfa () RIT EDU>]

There could be some security issues.  Some of them have been touched on.
 
First, the issue of legacy systems and truncation.   If you are
geoffnathan, and I am geoffnat then who wins the race at the OpenVMS
computer that supports food service account where login names are
truncated to 8 characters? (hypothetical example, I hope)  See also the
comment later about maintaining a history of vanity names
 
Second, people have been known to lookup to see who does not use the
vanity logins, like people who have been at the university a long time,
e.g. the president, VP of business, VP of Alumni Affairs, the department
chairs of most departments, ...
For example Herman Hacker, chooses the vanity name of AlEinstein which
is similar to the name of the Chairman of the Chemistry department.
Herman logs in as AlEinstein.  The logs probably show AlEinstein logged
in, just before the Chemistry department web server was defaced, or the
hours were entered for student employees.  Will someone bother to really
look up who AlEinstein is, especially if Al Einstein is a distinguished
professor, university fixture, and department chair?  Or will they
conclude that it was a zero-day attack on a fully patched system?
 
Will the LDAP maintainer, maintain transaction logs so that Herman
Hacker can not just register AlEinstein one day, do some dirty work, and
then change it back to HermanHacker the next.
 
Just some thinking off of the top of my head.
 
Jim
 



 

 

  _____  

From: Scholz, Greg [mailto:gscholz () KEENE EDU] 
Sent: Wednesday, August 24, 2005 11:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Authentication in LDAP



I do not feel there is an inherent security issue with this.  I know
others disagree though based on the idea that it will now be much easier
for brute force attacks because half of the login is now known (i.e. a
list of campus personnel will yield a pretty accurate list of usernames
so they would only have to go after passwords.)

 

My bigger concern would be that you implemented the unique AccessID for
a reason.  It follows a standard and you could always go back to that as
a standard when troubleshooting.  Uniqueness can also be virtually
guaranteed for the life of the system not just the user. Although the
aliases must obviously be unique also, over time you may find the user
community gets used to their "vanity plate" and forgets the other. Do
you allow these "vanity plates" to ever be reused? Not being entirely
familiar with the intricacies of LDAP and your implementation could this
lead to inaccuracies in logging.  (e.g. this year jsmith12 is XX1234,
but next year jsmith12 is xx5678) so you could have difficulty mapping
events to the correct user over time?

 

Could rights management be more difficult?  I am gscholz and I need
access X, but I do not know my AccessID so you now have to lookup my
AccessID to ensure you assign the correct rights to the right AccessID.
And again, what if gscholz is ever reused? Could a mistake in rights
assignment happen?

 

We attempt to ensure uniqueness forever but not using the license plate
style. I would personally prefer the license plate style but whichever
way, uniqueness over some period of time should be the focus so that
rights, events, assignments, etc can be properly controlled.

 

Just my .02

 

_________________________

Thank you,

Gregory R. Scholz

Lead Network Engineer

Information Technology Group

Keene State College

(603)358-2070

 

  _____  

From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU] 
Sent: Wednesday, August 24, 2005 10:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Authentication in LDAP

 

Apologies if this is a trivial question, but I've been banging my head
against this issue and am unable to settle it in my mind.
Here at Wayne State all users are issued a unique AccessID, an arbitrary
alphanumeric code of the form XX1234.  Whenever they access their
e-mail, log in to our Portal or to Blackboard (or any of several other
services) they enter their access ID and a password.  Authentication is
handled centrally by an LDAP appliance.
Through the webmail client we supply users have the option of choosing
an alias that is personalized (mine, for example, is at the bottom of
this message).
Recently the administrator of the LDAP machine enabled alternate logins
(on everything) using the personalized ID instead of the 'license
plate'-style ID.  This was done without discussion of possible policy
issues, and I've been wracking my brains trying to think of any security
problems that this change raises.  I can't think of any, but I thought
I'd ask this group if there is any reason people should not be able to
authenticate either as

an6993
or as
geoffnathan

Thanks in advance for any suggestions.

Geoff Nathan


Geoffrey S. Nathan <geoffnathan () wayne edu>
Security Policy Coordinator, Computing and Information Technology,
        and Associate Professor of English
Linguistics Program                       Phone Numbers
Department of English                     Computing and Information
Technology:  (313) 577-1259
Wayne State University                    Linguistics (English):  (313)
577-8621
Detroit, MI, 48202                        C&IT Fax: (313) 577-1338  
 
- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

""In the middle of difficulty lies opportunity." Albert Einstein

"The release of new internet threats have not created a new problem. It
has merely made more urgent the necessity of solving an existing one."
Parallels quote by Albert Einstein on atomic energy