Educause Security Discussion mailing list archives

Re: External LDAP Authentication through the firewall

From: James Cooley <jcooley () FIT EDU>
Date: Fri, 8 Jan 2010 09:53:00 -0500

Allowing an outside vendor to use your internal LDAP for authentication would be very dangerous.  From a compliance 
standpoint, you could be exposing FERPA-related information to the vendor if protected information can be queried.  
From a security standpoint, you would be giving the vendor the ability to capture your users' passwords (whether they 
do it, or someone attacking their servers does it).  You can control security on your side, but you have no control 
over the security on their side.  What if they are compromised and you end up with several potential accounts with 
compromised credentials?  In this case, the university would probably take the heat and need to notify the affected 
individuals.   

Your security auditors would also likely frown upon this kind of access, so that could be another approach you can 
take.  

If you tell the vendor no, you can try asking if there are other ways to perform the authentication.  If this is for a 
web-application, technologies such as CAS provide authentication capabilities for web-services and allow all of the 
authentication to be performed on your own servers - the user never enters their password on a third-party password.

--
James Cooley
Information Security Officer
Florida Institute of Technology

      



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Di 
Fabio, Andrea
Sent: Friday, January 08, 2010 9:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] External LDAP Authentication through the firewall

I'd like to get some feedback on the pros and cons of allowing a vendor to 
directly query the internal LDAP for user authentication.  I do understand 
that there tools out there like shibboleth, but at this point we have gotten a 
specific request to allow AD authentication through our firewall for an 
InterLibrary Loan Software.  Save the: it should have been a well thought out 
process/project comments ;-)  Sometimes we can control what other IT units do.

The MS LDAP is our main and central authentication and GP.  I am inclined to 
deny the request, but I would like to bounce it against you experts and 
possibly get some points for or against it that I can use when responding to 
the Library IT person and possibly to upper management.

Thank you!

Current thread:

External LDAP Authentication through the firewall Di Fabio, Andrea (Jan 08)
- <Possible follow-ups>
- Re: External LDAP Authentication through the firewall Matthew Gracie (Jan 08)
- Re: External LDAP Authentication through the firewall schilling (Jan 08)
- Re: External LDAP Authentication through the firewall James Cooley (Jan 08)
- Re: External LDAP Authentication through the firewall Michael J. Wheeler (Jan 08)
- Re: External LDAP Authentication through the firewall Flynn, Gerald (Jan 08)