Re: Security issues when authenticating from multiple sites

[Michael Ströder <michael@stroeder.com>]

Einar S. Idsø wrote:
> 
> We have a number of different community sites that will use a
> single central OpenLDAP-server for authentication. We want
> each site to provide its users with a logon-box for that site, just
> as any forum or portal you can find out there. Each site has its
> own admins with full access to everything related to their specific
> site. This makes it possible for them to edit their own logon
> mechanism to capture passwords for users that log on to their
> site. Thus an admin on one site can capture the password of an
> admin on another site, which is an obvious security issue.

Yupp, that's a problem with single password stores.

> We can of course redirect logons to a common secure webpage, 
> or monitor files in the respective sites' webroot to detect 
> modifications to logon procedures, but we'd really prefer a 
> cleaner solution if at all possible. Do any mechanisms exist 
> to avoid this problem? 

Not sure what a "cleaner solution" means for you. But this is a typical
deployment scenario for Web SSO components. Personally I'm fairly
familiar with CAS. There's also OpenSSO and some others which all work
almost in the same way. But you have to do some integration work in the
web server/application.

Ciao, Michael.