Re: LDAP and Strong Auth

[John Adams <jna () retina net>]

On Mon, 15 Jan 2001, Jeff Newton wrote:

> Has anyone deployed LDAP with SecurID or Secure Computing's SafeWord
> Plus?  I am primarily interested in interoperability, and redundancy
> issues.

You could write a piece of code to do this, by modifying OpenLDAP to use
the SecureID API when it attempts to verify a user account (typically this
is an LDAP Bind call.)

It shouldn't be too hard, and if you don't mind doing some development, it
can be very rewarding. Don't fall prey to what most companies do, which is
to spend money on expensive integration efforts so they can have a finger
to point when something breaks, instead of doing work and creating
intellectual property. 

> As for redundancy, I have never been a fan of ACE server's master and
> slave topology, especially with many remote WAN-dependent offices.  
> SafeWord Plus is supposedly peer-to-peer.

I don't like the way ACE works either, because of the multiple sites
involved, and I also hate the fact that when I go to use a Cisco router, I
have to wait for my Token to change -twice-. Once to Log in, and Again for
the Enable. Logging into a Cisco router takes me nearly 60 seconds to get
to an enable prompt from ground zero, and when our network goes batty,
this costs me valuable time.

A single-use password system like ACE, but without the lag and redundancy
problems that the ACE Server has, would be nice. 

-john


--
J. Adams                                        http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards