Eric J. Hoffman wrote: > Have an app that is remote from a network that is your standard LDAP/AD > deal....the client's folks really want the remote app to authenticate > back via LDAP.
Is LDAP a means or an end here? Do they specifically want LDAP or do they want something that allows single sign on and ties into AD and is LDAP just the first thing that came to their mind? > Now, I don't want to open up 389 in the firewall at all; so for you > great CF minds out there....is it even remotely advisable to setup a > firewall rule to accept 389 LDAP requests from a single IP > address.....so this CF app can do its thing?? If they really want LDAP, you are going to have to give them LDAP. You can argue a security baseline and require IPSec, TLS, server hardening etc., but in the end the client is king. > I always err on the side of no in these situations....but limiting it to > a specific IP is decent...but relies on that system being correct and > free of breach....has others seen this go on? If they really want LDAP the entire security of the AD can be breached. The problem with LDAP authentication is that the users enter their credentials on the remote application, and the remote application checks the credentials with the LDAP server. If the remote application is breached, the credentials are breached because they pass through the remote application. What you really want is a Trusted Third Party setup where the users enter their credentials at the AD, and then the AD guarantees the identity to the remote application without revealing the credentials. If the remote application is breached, only the remote application is breached, not the credentials. If you want to do this right you should use something like Kerberos, A-Select, Shibboleth. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285421 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
