Skip to Content.
Sympa Menu

assurance - [Assurance] InCommon Silver/AD cookbook updated

Subject: Assurance

List archive

[Assurance] InCommon Silver/AD cookbook updated


Chronological Thread 
  • From: "Roy, Nicholas S" <>
  • To: "" <>
  • Subject: [Assurance] InCommon Silver/AD cookbook updated
  • Date: Fri, 18 Nov 2011 17:05:39 +0000
  • Accept-language: en-US

Hello, InCommon Assurance folk.  If you are interested in Active Directory and InCommon Silver, please read on.  If not, please disregard this message.

 

I’ve made some updates to the Silver/AD cookbook:

 

https://spaces.internet2.edu/display/cicincsilver/InCommon+Silver+with+Active+Directory+Cookbook+-+DRAFT

 

Some of the less minor updates that I did were to insert notes in places where we are missing things, in some cases these might have gotten changed or deleted during edits that removed references to locations in the text that previously existed.  These are mostly in section 4.2.5.2’s Management Assertions subsection.  They are bold, italicized, and begin with “NOTE”

 

The first item of note refers to section 4.2.3.2 and 4.2.3.3 which are sections that cover password entropy, so I’m not sure how a management assertion about an eavesdropper attack would be relevant.

 

The second item of note says that Kerberos is acceptable for preventing eavesdropper attacks, but the language of the IAP requires that nothing that the attacker did not already know about the password can be gained by analyzing the messages passing between subject and verifier.  With Kerberos, this isn’t the case, to the best of my knowledge.  The text that existed in this section before my edit contained a reference to a paragraph that no longer seems to exist in the assertions (“Basic LDAP binds using SSPI for security that require Kerberos are acceptable because they use Kerberos for authentication, covered under the first paragraph of this assertion.”) – If you edited these assertions and recall where this paragraph went, or know of a reason why Kerberos is acceptable for this section of the IAP, please edit the wiki or let me know and I can add it.

 

The third note is in Appendix B and is a place holder for Alex or Warren or anyone else who has experience with signed LDAP binds and OS X to put their information on how well or otherwise this works.  If you have any experience with OS X or other clients and requiring signed binds in AD, please let me know and I can help to get that information added to the appendix.

 

Thanks,

 

Nick

 

------------

Nicholas Roy – Identity Architect

The University of Iowa / ITS - Administrative Information Systems / Directory and Authentication

 




Archive powered by MHonArc 2.6.16.

Top of Page