Re: ISP infrastructure - user database and authentication

From: Devdas Bhagat (devdas@worldgatein.net)
Date: 07/31/01

• Previous message: Peņa, Botp: "RE: Qmail vs. postfix"
• In reply to: Jean-Simon Durand: "ISP infrastructure - user database and authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Devdas Bhagat <devdas@worldgatein.net>
To: "Jean-Simon Durand" <bugtraq@supernet.ca>, <SECURITY-BASICS@securityfocus.com>
Subject: Re: ISP infrastructure - user database and authentication
Date: Tue, 31 Jul 2001 12:46:24 +0530
Message-Id: <01073112503603.11963@office.interoffice>

On Mon, 30 Jul 2001, Jean-Simon Durand spewed into the ether:
<snip>
> better way to do this. Does ldap support a compare funtion that is done
> server side? If there is, I suppose that the existing ldap authentication
> modules supports this?
I think PAM LDAP does this.
Maybe your Radius server can just bind to the LDAP server using the
username and password supplied. If the bind is successful, the user
logs in, else reject.

> In #3, we also have a problem. We want to allow our customers to access some
> of their account informations online, so some parts of the database on the
> billing server will be accessible by a web server on the DMZ. The database
> will be either under MS SQL or Oracle 8. If the web server gets compromised,
> are there risks of someone accessing the credit card data thru the database
> connection? Is there a better way to set this up?
Maybe there might be a hole somewhere. I suggest putting the CC
information elsewhere, on a separate machine. Since this information
does not change very often normally, you can do one of two things:
1) dump the data to a databse on a separate machine (Postgres/MySQL
should work fine for this).
2) Put it into LDAP, with appropriate ACLs.

Devdas Bhagat

--
A vacuum is a hell of a lot better than some of the stuff that nature
replaces it with.
		-- Tennessee Williams

---

• Previous message: Peņa, Botp: "RE: Qmail vs. postfix"
• In reply to: Jean-Simon Durand: "ISP infrastructure - user database and authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [opensuse] LDAP served network ... One LDAP server and one LDAP client. ... I use pam to configure the various services to perform ... an ldap authentication. ... (SuSE) Re: Directory Services, LDAP or similar ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ... (borland.public.delphi.non-technical) Re: Directory Services, LDAP or similar ... we managed the user authentication by creating tables ... The above ID and password are sent to the service at login ... Novell eDirectory at the enterprise level; yes it's LDAP. ... servers; ... (borland.public.delphi.non-technical) Re: [opensuse] LDAP served network ... One LDAP server and one LDAP client. ... Server_1 is file a group file server with several shares with common ... I think so, I've all my server performing an ssh ldap authentication, ... I use pam to configure the various services to perform ... (SuSE) LDAP Weirdness (Solaris 9) ... I'm having a very odd problem with LDAP authentication on a Solaris 9 ... The LDAP server is running OpenLDAP with a self-signed ... that you would expect for an account that doesn't exist. ... (comp.unix.solaris)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)