Virtual Identity Dialogue

One of our sales consultants had some questions on OVD, Enterprise User Security (EUS) and Kerberos. Remember EUS is the Oracle Database feature that lets you centralize the management of user & roles to your enterprise directory. 

The database supports multiple models of authentication.

They are:

• username and password
• digital certificates (aka x.509)
• Kerberos
• RADIUS

The first three are supported by EUS. The last - RADIUS is not.

Username and password is the easiest but does mean that in EUS we have to have a MD5 or SHA1 password stored in the enterprise directory. For Active Directory we have a DLL that uses Microsoft's Password Notifier API to do this for us since AD doesn't do this automatically. For Sun (and Fedora though we haven't officially certified it) the standard userpassword attribute is already hashed properly.

If you are using Kerberos the upside is that you don't need to exchange passwords. Instead the client gets a ticket from the KDC (these days that's likely to be Microsoft AD though I have run into MIT recently) and then the ticket can be used to validate their credentials against the database (this is a simplification of Kerberos. But if you really want to know more you can read the details ). In Kerberos the database verifies the credentials. It only uses EUS to map the user to a database schema and database role.

Now to answer some specific questions - which I can update later:

Q1 - the LDAP listener is not Kerberos ( authentication ) enabled?

A1 - Correct, OVD currently does not support Kerberos authentication. This is not generally a limitation since no common LDAP client application that I'm aware of requires Kerberos authentication. Also Kerberos protocol does not easily open itself up to virtualization. Perhaps this will change when the world starts to adopt STS technologies.

Q2 - the LDAP adapter act as a client and is Kerberos enabled?

A2 - Yes, OVD can take a simple bind (e.g. username and password) from an LDAP client application and verify that password against Active Directory using Kerberos. This is useful if a company doesn't have SSL enabled on AD (but has SSL on OVD) and wants to securely validate passswords against AD.

Q3 - I can't use my Kerberos ticket ( obtained while login in to a windows domain ) to authenticate to OVD and do a query" ?

A3 - This depends because LDAP is like database - most of the time end-users are not connecting directly to the system - they use client applications. If the client application is web-based and configured to do Windows SSO - then yes. If it's a 3rd party application that cannot, then you will need to re-type your credentials. Even if we could accept Kerberos tokens - OVD (just as ANY other Kerberos enabled application) is dependent upon the client application to support it as well. This is why Kerberos never took off in great numbers prior to the release of Active Directory (which gave everyone who ran Windows a KDC whether they wanted it or not) and the Web.

Today I wanted to do good and plug our first posted OVD customer case study and highlight our new directory services blog. But just after I finally figured out how to get my posts properly posted - I got word, we had to pull the posts. It's nothing major - just that we have some central location that hosts them and then we can publicly link them.

As I used to say to my "How to build web page" students when I taught - "The only difference between a novice and a guru is the number of people who know when you screw up".

Sorry for any confusion if you followed the earlier links.

Here is the complete list that I know of that will cover Oracle Directory Services (OVD, OID) at OOW 2008.  I am expecting to present at the first three events. I hope to make the last one, but I'm planning on presenting at the Unconference on Thursday so might be tight. I will also be at the Oracle Directory Service's booth when I'm not presenting.

Since I'm focusing this blog more on the technical side - I thought I would try to regularly provide a set of links and commentary to security and privacy articles I find. 

"For Your Browser Only" -- Reminds developer's that if you are writing cookies from your server code to remember to mark them "HTTP Only". This dramatically reduces the surface area for cross-site scripting attacks. I would also add that other techniques - such as using a standards-based framework for authentication/session management and risk-based access control like Oracle provides via Fusion Middleware and the Access Management Suite will add extra protection.

Security Researches Uncover Spring Framework Vulnerabilities  --  Some researchers have found vulnerabilities in the popular Spring framework.

What Californians Understand About Privacy Online -- A paper showing how big the gulf is between the average person's perception of how their privacy is protected and the reality . One could of course make a joke about what do you expect from people who elect "The Terminator" their governor  but it is a real problem.

SQL Injection issue in :limit and :offset parameter -- A two-fer this week - security issues in two of the most popular frameworks out there - Spring and now Rails. I give credit to the author for trying to help raise awareness and in general I think adopting frameworks (in particular standard - whether that's "Standard" like JSF or a "standard" like Spring/Rails) make you more productive - and yes, secure.

5 Features Your Login System Must Have -- An interesting article for those who are still "rolling their own system". Of course for an enterprise - I'm not sure of any valid use case where that would be a good idea - there's too many good products out there such as Oracle Access Management Suite that can do this for you without needing to become a SSO developer. If you are working on a consumer site - then at the very least, you should adopt something like OpenID or Infocards so that you are not managing passwords.

As I hinted out earlier - we have a new blog dedicated to business level discussion on directories. It's called Directory Service Stories and we have posted our first post on a customer related story.

The purpose of that blog in compared to mine is that we will focus on customer stories and higher level use cases. While i continue to be more technical here.

Apologies for this being late. Because of OOW I got a bit behind.

Passwords -- This blog post from the "Blown to Bits" blog talks about problems with passwords. On a personal level - you should have a random password. No words. Just mix of characters. From a developer perspective - do not write your own login code. Almost all frameworks now have their own login subsystem - leverage that. It will allow you to focus on code that is actually core to your business application. Or as I would think - I would not want my friend Quan writing my UI but he knows how to write awesome security code. I know my friend Josh knows how to make awesome looking UI - he shouldn't be writing my security code. And from an enterprise level - make sure you are adopting  comprehensive access products such as Oracle Access Manager suite.

"Using Yahoo! Login Mechanisms for Desktop Applications" -- If you want to use Yahoo! for user password management this might be useful to you.

Criminal probe of ex-Lottery employee Launched  -- Basically another data leak problem. Remember - when writing apps to make sure you allow for proper auditing. Also make sure to put in hooks that can allow for access controls to be written using a standard like XACML (such as provided by Oracle Entitlement Server). And if you are storing data in a database make sure the application can work with strong security measures like Oracle Database Vault and Transparent Data Encryption. And - if you managing/installing database - make sure you enable these features if your applications can support them.

Schneier On Security -- Bruce Scheier who is the expert on security - has released a new book. I believe it's a collection of his columns, so if you are a regular reader probably nothing new. However, if you are new to this field - you should get a copy. As well as his previous book Beyond Fear. Or if you are up to speed on these books - then be sure to read The Unthinkable: Who Survives When Disaster Strikes - and Why.