[unisog] LDAP access for 3rd parties

Cal Frye cjf at calfrye.com
Wed Feb 13 20:30:07 GMT 2008


Oscar Knight wrote:
> Here's a scenario:
>    There is a unauthorized access of protected information at the
>    institutional site.  An investigation reveals that the user
>    changed their password then accessed institutional resources
>    and a 3rd party site.  The compromise came hours later.  Further
>    investigation does not reveal any problems at the institution.
>    How do you proceed, ie how do you investigate the 3rd party?

We would have record of the site from which the LDAP bind occurred; so 
if it's the third party...

We've sort of lost this battle with Blackboard, but have successfully 
lobbied for the installation of secure lookups and VPN tunnel back to 
our campus. The terms of the contract further discuss the use of 
passwords provided by users, including that they are not to be stored 
past authentication completion, etc. This is a problem with technical 
and legal aspects, and usually covered by contract, no?

-- 
Regards,
-- Cal Frye, Network Administrator, Oberlin College

    www.calfrye.com,  www.pitalabs.com

"It's wonderful how much you can learn when you admit you might not know 
everything."


More information about the unisog mailing list