Global Security Forum

Hi all,
reading through the SDS 8.1 documentation I found that you can use any unique attribute to bind but still need the password attribute. Also with the supplied SASL I couldn't find an option using any attribute to store a pinned use it like a password. I probably could use LDAP_COMPARE and create my own code but thought there might be an option with LDAP_BIND. The idea is using a PIN and/or a password like you can with Windows. Any suggestiones?

THX,
Jens

------------------------------
Jens Petersen
------------------------------

Hi Jens,

First of all, let me say that you might get more responses to IAM related questions on the IAM specific community group. Direct link: https://ibm.biz/iamcommunity 

On this question, I'm pretty sure what you are asking is not possible natively in SDS (unless there is some custom extension point I don't know about).

You could write your own code client-side using compare (as you suggested) but not sure if you can have other fields hashed like the password. Hashing (vs encryption) is an important part of password security. Someone else will have to comment on that. 

You compared this function to Windows password/PIN but isn't that function mainly to support a central account password and a local PIN - ie the two mechanisms are related to different storage locations and purposes?

I'm struggling with the purpose of two different passwords for the same account.  The user, and any attacker, would surely only ever use the shorter one?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri June 19, 2020 06:50 AM
From: Jens Petersen
Subject: Using a PIN as password with LDAP BIND

Hi all,
reading through the SDS 8.1 documentation I found that you can use any unique attribute to bind but still need the password attribute. Also with the supplied SASL I couldn't find an option using any attribute to store a pinned use it like a password. I probably could use LDAP_COMPARE and create my own code but thought there might be an option with LDAP_BIND. The idea is using a PIN and/or a password like you can with Windows. Any suggestiones?

THX,
Jens

------------------------------
Jens Petersen
------------------------------

Hi John,
thank you for your support. Thought this is more about authentication and ldap, it's basically not IDM, I'd say. 

It's possible to hash attributes also to encrypt. That a feature of SDS. As said, it's also possible to use any unique Attribute/Value instead of the DN for login but still uses the PW. Just thought I'd miss something. But ok, so we need to develop some SASL plugin or use client side implementation. 

The customer uses the PIN like a PUK you get with your SIM Card. I already pointed out that there are several better methods we could use with ISAM more or less out of the Box. The argument here is that you don't need anything but the code. They use it also for identification via phone. 

we've already developed an INFOMAP doing the job but now without hashing  So we need to add the code  it's just not as flexible as using the LDAP server itself  

thanks

------------------------------
Jens Petersen
------------------------------

Original Message:
Sent: Mon June 22, 2020 03:22 AM
From: Jon Harry
Subject: Using a PIN as password with LDAP BIND

Hi Jens,

First of all, let me say that you might get more responses to IAM related questions on the IAM specific community group. Direct link: https://ibm.biz/iamcommunity 

On this question, I'm pretty sure what you are asking is not possible natively in SDS (unless there is some custom extension point I don't know about).

You could write your own code client-side using compare (as you suggested) but not sure if you can have other fields hashed like the password. Hashing (vs encryption) is an important part of password security. Someone else will have to comment on that. 

You compared this function to Windows password/PIN but isn't that function mainly to support a central account password and a local PIN - ie the two mechanisms are related to different storage locations and purposes?

I'm struggling with the purpose of two different passwords for the same account.  The user, and any attacker, would surely only ever use the shorter one?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri June 19, 2020 06:50 AM
From: Jens Petersen
Subject: Using a PIN as password with LDAP BIND

Hi all,
reading through the SDS 8.1 documentation I found that you can use any unique attribute to bind but still need the password attribute. Also with the supplied SASL I couldn't find an option using any attribute to store a pinned use it like a password. I probably could use LDAP_COMPARE and create my own code but thought there might be an option with LDAP_BIND. The idea is using a PIN and/or a password like you can with Windows. Any suggestiones?

THX,
Jens

------------------------------
Jens Petersen
------------------------------