Re: How to add an extra password field to an AD?

Joe Kaplan wrote:
Your AD administrators are not quite correct, in that it is possible to put data into AD that is not world-readable. It isn't totally straightforward, but it can be done.

Good news. What do I need to tell them?

Explain how this application is going to authenticate AD users if it isn't going to use the AD user's password, but a different password. Is that not in effect a different user? What is the point?

It is in effect a different set of credentials, but one that can be administrated right beside the "normal" AD stuff, goes away when the AD user is locked or deleted, and has an administration interface that the people are already familiar with.

The point is that the service password is likely to be _stored_ on the client system and is easy to compromise. In that case, I'd like the AD password (which gives access to the Windows resources) to stay safe.

You cannot add another attribute to AD and have that be used for an LDAP bind operation, so you cannot do what you want to do anyway, assuming that the device in question uses a standard LDAP bind to do LDAP authentication.

I have some control about the LDAP connector. It is open source ;)

Plaintext credentials are not necessarily a problem from a networking perspective if you use SSL.

SSL cannot be used here since the protocol being used does not have an SSL variant. ALso, my real concern (sorry if I didn't write that clear enough in the original messag) is the password being stored on the client system.

There are enough services (think SIP with a mainstream VoIP telephone) that do not allow SSL to be used.

Both AD and ADAM can be configured with an SSL certificate for LDAP traffic, so that might help mitigate that risk.

My concern is not the LDAP traffic between the service server and the LDAP server, it is between service client and service server.

If the problem is really that you don't want this app to have access to the user's plaintext credentials and it doesn't support Windows authentication (Kerberos/NTLM), then I don't see how you can reconcile that requirement with the desire to authenticate against AD.

I actually don't want the app to see AD passwords that give access to Windowws resources. I don't care whether the app sees its own passwords.

Greetings
Marc
.

Relevant Pages

  • Re: How to add an extra password field to an AD?
    ... that the device in question uses a standard LDAP bind to do LDAP ... you can't change how bind authentication works. ... SSL cannot be used here since the protocol being used does not have an SSL ... My concern is not the LDAP traffic between the service server and the LDAP ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD SSL, what impact?
    ... We use external certs with our DCs and it isn't that big of a deal. ... running with SSL LDAP using a self-signed cert we generated with selfssl.exe ... SSL LDAP traffic will naturally be a little slower than unencrypted traffic, ... If your app uses Microsoft's LDAP APIs, then you ...
    (microsoft.public.windows.server.active_directory)
  • possible LDAP over SSl bug in OS 10, 10.4, 10.5, 10.6
    ... Austin who want to get Entourage to be as feature-full as it is ... These were both LDAP over SSL issues. ... e) Entourage 2004 - Delegates ...
    (microsoft.public.mac.office.entourage)
  • Re: Antw: Re: LDAP Authentication Problem
    ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
    (de.comp.sys.novell)
  • Re: possible LDAP over SSl bug in OS 10, 10.4, 10.5, 10.6
    ... These were both LDAP over SSL issues. ... > would access a LDAP server over SSL. ... > nca = without Certificate Authority certificate installed for the ldap ...
    (microsoft.public.mac.office.entourage)
Loading