[unisog] LDAP access for 3rd parties
cjf at calfrye.com
Wed Feb 13 20:30:07 GMT 2008
Oscar Knight wrote:
> Here's a scenario:
> There is a unauthorized access of protected information at the
> institutional site. An investigation reveals that the user
> changed their password then accessed institutional resources
> and a 3rd party site. The compromise came hours later. Further
> investigation does not reveal any problems at the institution.
> How do you proceed, ie how do you investigate the 3rd party?
We would have record of the site from which the LDAP bind occurred; so
if it's the third party...
We've sort of lost this battle with Blackboard, but have successfully
lobbied for the installation of secure lookups and VPN tunnel back to
our campus. The terms of the contract further discuss the use of
passwords provided by users, including that they are not to be stored
past authentication completion, etc. This is a problem with technical
and legal aspects, and usually covered by contract, no?
-- Cal Frye, Network Administrator, Oberlin College
"It's wonderful how much you can learn when you admit you might not know
More information about the unisog