If multiple systems join ldap authentication, then any administrator of any one of them can get the password of any user's account.right?
Applications authenticating against an LDAP directory are not going to be able to access all of the user passwords en mass provided you do not not permit direct read access to the attribute or you do not store your passwords in clear text (if you use something like ldapsearch to dump an entry and have userpassword:: followed by a bunch of random looking 'stuff', that's an easily decoded clear text password). App I allow to access my LDAP server aren't given access to read all of the userPassword values to attempt reversing them out to clear text (and I'm using a decent encryption mechanism to store userPassword value). I restrict the application service account to reading contact-type attributes (phone number, address) and group objects. The only way they get the user's password is by asking the user for it and binding against my directory with those credentials. Can an app admin grab credentials for those who use the application? Sure, they could.
On an out of the box application, I could attach a debugger and access the username/password values as they transit the application. With custom-written applications, it's even easier to grab the credentials. The application takes the username and password as user input and binds to the LDAP server to validate the username and password. As an LDAP server admin, there's nothing I can do to prevent the application developer from making calls and doing other things with that username and password. "Other things" may be legit -- I've handled LDAP directory migrations by authenticating against the old system and, on success, creating the user in the new directory LDAP with the password the old directory just accepted. It was an ugly way to migrate directories, but it worked. "Other things" may be malicious. Is it likely to encounter an app admin or developer who is siphoning off credentials? Depends on who authenticating through your LDAP directory.
This isn't a unique failing of LDAP -- any authentication back-end that you let other people use directly suffers from the same problem. If you don't want the app admins/developers intercepting user credentials, look into federated identify management (FIM) -- an authentication mechanisms where the app (service provider, in FIM terminology) doesn't have access to the username and password but rather validates a token of some sort that was created after a trusted "identity provider" authenticated the username and password.
Related
I have successfully added ldap-ad to Alfresco. Now when i am creating a user in AD, it is synchronized with Alfresco and i got an Alfresco user. The question is, if a user Bob (that has been sync from AD) changes his password (in Alfresco interface), in which authentication system the password will be changed, Alfresco or AD?
If the password will be changed in AD, then i have no other querstion, but as far as i know, there is only one direction sync, from AD to Alfresco, so Alfresco cant access the AD passwords and change them. Does this mean, that Alfresco will create a password for Bob and store it in its own authentication system and now Bob can loggin with alfresco and AD passwords (new and old)? And most important question: How to avoid that? Thanks in advance.
Alfresco uses an authentication chain concept. That means you can configure more than 1 system for the authentication and if a user tries to authenticate Alfresco steps thru the configured chain and tries one system after the other until the user has been authenticated successfully or if the auth fails on the last chain member the auth attempt is assumed as failed.
Alfresco brings it's own authentication subsystem to create and store users locally in the repo db with passwords. Locally created users like admin are stored in the local subsystem alfrescoNtlm which you could find in the node browser in the user://alfrescoUserStore/ store. That store is for the authentication of internal users only.
"users" you see and manage in the Alfresco UI are of type cm:person stored in the main store workspace://SpacesStore (/sys:system/sys:people/) but do not contain any password at all.
The ldap sync only creates users in the workspace://SpacesStore under /sys:system/sys:people/and once a user tries to login Alfresco walks thru the authentication.chain which may look like in production:
kerberos1:kerberos,ldap-ad2:ldap-ad,alfrescoNtlm1:alfrescoNtlm.
Alfresco Share only provides the user a "Change Password" dialog if the user is found in the local alfrescoUserStore. Alfresco does never change a password in any other system.
To test whether you have understood everything: What happens if a user max exists in the AD and in the local alfrescoUserStore and changes it's password in the Alfresco UI? ;-)
If you were using LDAP for authentication, then the passwords will never store in Alfresco. Passwords will be stored in LDAP and and it will be linked with Alfresco by their email or usernames.
I am creating a login page with an authentication using LDAP. I could see LDAP3 packages for flask with login forms as well. I am looking for a form where the developer of the portal(say me or anyone in our team) should not be able to add any print statements and sniff the username and password when someone log in...
The flask form is exposing the password variable as a plain string. Even if it doesn't expose , it is possible to put a print statement in the flask_form validate function.
Is there any option available like the form is bundled as binary or c-python module where the developer has no option to sniff the credentials at all..
If not possible or no options available as they know off, any other framework like django helps for these usecase?
By design, server-side LDAP authentication requires the server receive the username & password from the user and relay that information to the LDAP server. This means a developer could insert a line that logs all credentials out somewhere, grab the passwords from process traces, dump memory, etc. If you don't want any of the developers or system administrators to have access to user passwords, use some type of federated authentication instead of LDAP.
In a federated authentication scheme, the user auths against some other source (e.g. ADFS) and your app checks a token that essentially says "this trusted other auth source says the person is Lisa".
I am writing a WPF application, and one feature I want to implement is the ability to display a list of computers in the domain. I have found some useful Active Directory code here:
http://www.codeproject.com/Articles/90142/Everything-in-Active-Directory-via-Csharp-NET-3-5-.aspx
Typically code examples dealing with AD seem to require the user's credentials to make requests. But it occurs to me that if you are running the application from a computer that is part of the domain, the user has already provided user credentials sufficient to access AD on that domain controller, when logging on to the system.
Is there some way that the user can access AD via my application without the app having to ask the user to reenter the same credentials again? I mean is there some kind of token that I can forward that indicates the user is already authenticated? I am concerned about the risks of having to store and transmit credentials securely when I don't have to.
Thanks for any advice.
I later discovered that if you are logged on to the domain, that is sufficient for you to access the active directory store, without having to supply further credentials or impersonate an admin. And in some cases you can also access it without being logged in at all.
I'm working on a password management system which stores the passwords of a bunch of services (gmail, bank of america account, youtube etc). The user will be able to launch each of these services by logging into my application. The application will then POST the username and password associated with that service to that service's login url in a new tab and you will be immediately logged in. My question is, this method exposes the actual password of the user to the client side (since I'm creating a form with username and password, in plain text, as hidden fields and calling form.submit). I'm wondering is there any other method by which this can be achieved? How do all the password management sites work? Your help is appreciated.
Do it server side, what else can I say? Anyway, I can only see this as a learning experience, not something that would eventually go into production. cUrl could be a good start. Why do you use form.submit anyway?
This is called "formfill" in terms of access management terminology, if you are thinking about access gateway (http). If you are thinking about browser plugin, have a look at the firefox autofill plugin. And which finally reduces to single sign-on.
Single sign-on are done different ways,-
some servers uses active directory to store all the passwords and later access using the master password , i.e. the active directory password of that user to access his credentials.
Some uses SAML
Some uses e-directory
Whatever you use, if it is server-side application (e.g. Appache supports formfill), it parses all the forms based on form name or resource path and fills credentials based on the authenticated session from the user.
We have a requirement to get information from specific users on an LDAP directory based on a Smartcard being presented. The application is already running under an AD user account, but using that users access to LDAP will not have sufficient access to the specific users data.
We have stumbled through a few parts of LDAP APIs and not had much luck finding info on how to make an LDAP bind call without username/password and more specifically with auth from a smartcard. Some of the MS LDAP appears to allow the option of using the current user token.
The best we have come up with is to use the SC to login then while impersonating the user create the ldap connecton using the current user token. Similar in idea to this MDSN blog .
Is there a better way?
The problem we are having with the impersonation is that the logged in user has to have certain rights for logging on other users to do the impersonation. Also while impersonating we need to limit other interactions, accessing the file system or registry as the alternate user is not desirable.