Contact Us

Artificial Credentials

Challenge
Between managing the security controls that you want in place for connections made on an anonymous BIND request, and provisioning access to third-party client applications, a range of authentication and security issues arise. Often, many of these may be political decisions within your organization, or constraints set out by your security policy. Regardless of the reasoning, it can quickly become a complicated task to accommodate the access requirements for certain applications, particularly if the users of these applications belong to an external organization.

One approach is to allow access to data on anonymous connections, but you're quickly going to run into a variety of security concerns. Another approach is to actually create all of the users within your directory, so that they can BIND to the directory, and you can quickly manage their access rights. While this may seem sensible, if you are working with an external third-party, you are going to need excellent communications between companies.  Furthermore, you have the overhead of having to manage a bunch of users that you would rather treat as a single lump, a group.

Solution
Symlabs LDAP Proxy and Virtual Directory Server both include various plugins that can be used to resolve this type of scenario quickly and efficiently. One approach is to make use of the Add Credentials plugin. This plugin is able to add credentials to anonymous connections. This functionality is useful to provide access to some protected LDAP servers. The Add Credentials plugin acts upon all LDAP anonymous operations and provides the option to obfuscate the password in the configuration file. Since the processing architecture within the proxy allows you to provide various filters to control when the plugin is triggered, you can limit the functionality to only apply when the proxy is accessed by the third party client application. In this way, you can set up a single user on the backend server, to represent connections from the third party application. You can apply all of the security controls that you want for this application, and rely on the proxy to authenticate the application on behalf of the users. The users themselves, can rely on an anonymous BIND and do not need to remember or know about any of the authentication credentials that are used to control their access.

Other approaches include making use of the Connection Pooling feature that is built into the way that Symlabs LDAP Proxy and Virtual Directory Server are able to connect to backend systems; as well as relying on Symlabs LDAP Proxy or Virtual Directory Server to authenticate off an alternate backend directory (possibly hosted with the third party themselves) and then to provision access to your target  backend directory using set credentials depending on roles obtained from the third-party.


Symlabs is now part of Quest Software. A leader in simplifying and reducing the cost of IT management, Quest’s innovative solutions make solving the toughest IT management problems easier, enabling more than 100,000 customers worldwide to save time and money across physical, virtual and cloud environments. The addition of Symlabs virtual directory and federation technology will enhance the overall architecture of the Quest® One Identity Solution and Quest migration products. Learn more at www.quest.com/symlabs.