wiki:ALL__security

Version 2 (modified by lttoth@…, 10 years ago) (diff)

--

Directory Related Security

Original author - Beth Mercer : 20081103

See also:

EDIR/AUTHSERV Access Control
Directory Account Administration

The Enterprise Directory is utilized for external authentication to several applications; some thin client (web) and some thick client. In addition, some applications rely on directory attributes to authorize access within the application.

For the most part, thin client authentications rely on the Shibboleth IdP, a web based authentication service that draws upon the iPlanet LDAP as its authority. However, there are exceptions to that rule. The AUTHSERV UI and EDIR self-service UI still utilize authentication directly to iPlanet. Thick clients rely on LDAP authentication, a process of binding to the Enterprise Directory with user supplied credentials to determine if the user is who he claims to be.

AUTHSERV, EDIR, their UPDATE back end and OnBase? are examples of both thin and thick clients that rely on directory attributes to authorize access with those applications. AUTHSERV, EDIR and their UPDATE back end rely on values stored in the EDIRrole attribute to scope who has privilege to perform what actions within the Enterprise Directory. OnBase? relies on group memberships recorded in the isMemberOf attribute.

Note: EDIRrole is a locally defined attribute created before we became familiar with the isMemberOf attribute which is an attribute common to directory deployments. Because of the key role the Enterprise Directory plays in application authentication and authorization, it is critical that directory access - who can administer accounts and who can update directory attributes - be strictly controlled.

Directory ACIs determine who can update directory attributes. So maintenance of appropriate ACIs is critical to good security.

Directory attributes are used by applications to make authorization decisions. So control over people/processes that provision security related attributes is critical to good security.

Directory credentials are used to authenticate to applications which may contain sensitive personal or institutional information. So control over processes/people that perform account administration is critical to good security.

########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
########################################################
20081103 elm original doc