RE: [ActiveDir] LDAP export pros/cons

[Robert N. Leali]

Title: RE: [ActiveDir] LDAP export pros/cons

I'll take a hard look at this option.  I do have an ISA server on the intranet/dmz segment that I could add another NIC to and route that NIC on the extranet segment.   To answer your question i do have internal network connectivity with the third party via a fiber connection in the same building separated by a Cisco PIX on our end.

  

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, January 20, 2005 3:42 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] LDAP export pros/cons

The crazy thing here, is that they'd have to have the password too in order to make this a single or simplified-sign-on solution. I'd see that as a major issue.

A trust has likely more access than you would want.

 

Have you looked at what RADIUS solutions can do for you?

 

Something along the lines of this http://www.isaserver.org/tutorials/ISA2004-RADIUS-Authentication-Web-Publishing-Rules-Part1.html with a little creativity might give you what you want.  The third-party host would use your reverse-proxy to permit or deny access.  You'd have to allow access via the network at some point but the RADIUS server could be in the extranet/dmz to help off-set some possible concerns. 

 

I don't know as I'd use a regular trust for them however.  I think this is a case of best tool for the job. Unless you have network connectivity with them already?

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
Sent: Thursday, January 20, 2005 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP export pros/cons

I understand what you are saying and agree.  On the same topic, what do you suggest is the best practice for having users authenticate to a third party web portal. Is it better to set up a one-way non-transitive trust between the two forests or domains, or go with an ldap export assuming this is going to be a long term solution.   The only thing we are trying to do is to allow our users to log into the third party web portal without having to learn an additional user name & password.  I do not want to give out any more information than that about my users.

 

Thanks for the quick responses.

 

R- 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, January 20, 2005 2:27 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] LDAP export pros/cons

not sure there are any documented risks.  Risks being relational to the entity taking them.

 

However, as a disinterested third party I'd have to point out that the risk is not technical in nature but rather about the information you're sharing.  I suppose the information you give out is far mare important to the conversation, but it seems you don't know these folks nor trust them really.  If that's the case, then it's possible you could be giving out the account information to a non-trusted source. 

 

The questions you need to ask are "what can they do with the information I provide and can I take any action to protect myself?"

 

Some folks wouldn't have a problem giving out that information.  Others would.  You'll need to assess that risk based on the information you plan to give out.

 

Email addresses are a unique identifier by the way.  And usually public knowledge.

---

From: Robert N. Leali [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali
Sent: Thursday, January 20, 2005 3:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP export pros/cons

That's correct.  Looking for risks associated ....

---

From: [EMAIL PROTECTED] on behalf of Mulnick, Al
Sent: Thu 1/20/2005 2:05 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] LDAP export pros/cons

Are you looking for risks associated with giving your directory away to a
semi-trusted third party?  Did I paraphrase that correctly?

Al

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Robert N. Leali
Sent: Thursday, January 20, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP export pros/cons

Can someone point me to a white paper or article that gives the pros and
cons and security implications of allowing a semi-trusted third-party to
access our AD with an LDAP export to an RSA server?

We are being asked to allow our users to authenticate to a third party web
portal using their current Windows 2003 AD accounts.  The third party wants
an LDAP export to their RSA server and  an account that has appropriate
access to allow authentication to the AD box.  This is in an extra-net
environment.

Any guidance or advice would be appreciated.

Robert
----
The information contained in this e-mail transmittal, including any attached
document(s) is confidential. The information is intended only for the use of
the named recipient. If you are not the named recipient, you are hereby
notified that any use, disclosure, copying, or distribution of the contents
hereof is strictly prohibited.

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/