The browser sessions are within SSL connections, and the PS-AD piece runs over LDAP/SSL, so the network exposure isn't bad. Our largest risk is the sticky notes with passwords on monitors or under keyboards, combined with trivial social engineering exploits that would be successful against the majority of our users.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, January 21, 2005 8:56 AM To: [email protected] Subject: RE: [ActiveDir] LDAP export pros/cons I'd be more concerned about malicious users inside your network being able to sniff that traffic and obtain usernames/passwords pretty easily. Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, January 21, 2005 10:36 AM To: [email protected] Subject: RE: [ActiveDir] LDAP export pros/cons In our case, it's a PeopleSoft portal that is using AD as the authentication provider via the LDAP bind. My logon IDs match in PeopleSoft and AD, so that's how PS correlates a successful AD bind to a PS user. No argument that using LDAP as an authentication method isn't nearly as secure as kerberos, but we sufficiently trust our in-house PeopleSoft folks to not get ulcers over the setup, along with some other technical and policy measures to reduce our risk exposure. There are other groups in our organization with whom we would not do something like this. Those groups probably don't trust us either :-) Hunter List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
