[unisog] LDAP access for 3rd parties

Gary Flynn flynngn at jmu.edu
Wed Feb 13 19:28:20 GMT 2008

Oscar Knight wrote:
> Hello Everyone,
> If you give a 3rd party access to your ldap for the purpose of 
> authenticating your users then they have access to your user's raw 
> password.  To me this is a serious general controls issue.
> We have other methods but are getting complaints from users that want 
> 3rd party applications and their vendor only seems to know ldap.  In 
> part I'm getting a lot of "well, site A, site B,...  are all allowing us 
>   to use their ldap service".

We've heard the same arguments here.

We have thus far not allowed outside access to our LDAP servers
though, as someone else mentioned, the same effect could be
obtained by proxying requests to any exposed LDAP authenticated
service. Of course, if a vendor is doing that to their customer
in an unauthorized manner, the problem does not require a
technical solution. :)

Also, as others have mentioned, there are alternatives:

1) A web authentication proxy
2) A federation scheme like Shibboleth
3) A certificate based system
4) Saying no to the use of university accounts and passwords
    by third parties.

If 1-3 are not feasible, saying yes or no to option 4 is a business 
decision. Management may decide to assume the risk in the interest
of enabling convenient business processes. All you can do is provide
your opinion and/or a risk assessment.

Issues involved in external use of university credentials:

1) As Pete mentioned, access to the same-signon credentials used at
    many universities may give the vendor access to data and services
    completely unrelated to and far above the level of sensitivity
    needed for the vendor's service.

    For example, they may have access to self-service student and
    employee administration systems, e-mail, access to licensed
    software and research material, remote access through firewalls
    and VPNs, certificates, and many other things that are probably
    not related to the vendor's business. Some accounts may be
    associated with elevated access rights compounding the problem.

    How much access to sensitive, personal, and operational data
    do they need? How much trust can be justified? How trustworthy
    is the vendor and its employees? How competent their desktop,
    system, and network administration? Enough to provide them keys
    to the organization's and constituents' kingdom?

2) Can account credentials protecting data covered by FERPA and
    HIPPA legally be provided to third parties for unrelated
    purposes? What happens if the vendor experiences a breach?

3) Should an individual assigned an account protecting personal
    information have a say in whether a third party should be
    given access? How are privacy policies and disclosures

4) Precedent. Not only for future vendors but what about
    individuals providing their own credentials to Facebook and
    Email providers to allow things like Blackboard and
    E-mail "mash-ups". How does the practice affect university
    appropriate use policies covering the use and sharing of
    university account passwords?

5) Direct exposure of the LDAP server to outside parties. Simple
    exposure has risk separate from its legitimate use. Is the
    LDAP server dedicated to public operations with limited data
    stored or is it a more general server that has lots of unrelated
    data in it that may be inadvertenly exposed. If the server
    is compromised, what are the effects to stored data and
    adjacent and dependent systems?

6) How does it affect Certificate Practices Statements or Levels
    of Assurance?

Gary Flynn
Security Engineer
James Madison University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3229 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080213/757cb639/attachment.bin 

More information about the unisog mailing list