[unisog] LDAP access for 3rd parties

Frank Bulk frnkblk at iname.com
Wed Feb 13 19:32:23 GMT 2008


Sounds like having something like RADIUS secrets for LDAP would be helpful
here.

We perform e-mail filtering that requires LDAP access to perform recipient
checking, and most customers are fortunately reluctant and come over to our
shop to type in their password.  They could create an alternate user that
perhaps has a "view" to a subset of LDAP objects and attributes, but it must
not be easy because they're not doing it.

Frank

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Oscar Knight
Sent: Wednesday, February 13, 2008 5:37 AM
To: UNIversity Security Operations Group
Subject: [unisog] LDAP access for 3rd parties

Hello Everyone,

If you give a 3rd party access to your ldap for the purpose of
authenticating your users then they have access to your user's raw
password.  To me this is a serious general controls issue.

We have other methods but are getting complaints from users that want
3rd party applications and their vendor only seems to know ldap.  In
part I'm getting a lot of "well, site A, site B,...  are all allowing us
  to use their ldap service".

Comments.

Thanks,
odk
--
Oscar D. Knight                           knightod at appstate dot edu
ITS                                                Voice: 828-262-6946
Appalachian State University, Boone, NC 28608        FAX: 828-262-2236
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list