Home

Results 1 to 9 of 9

Thread: Form Fill Advice

Hybrid View

  1. #1
    sttennant NNTP User

    Form Fill Advice


    Hi,
    We have a new print system where students can sign in using their
    username and a 4-digit PIN code. The problem is that the PIN is
    peculiar to this system and students do not know what it is.

    So, we can generate a PIN for each student (using an Identity Manager
    driver for example) and send it to them by email. We then define the
    form fill policy to use a shared secret for the PIN. The user then
    enters the PIN first time and thereafter Access Manager remembers the
    PIN. However, generating 25,000 PINS and emaling them to students is a
    big admin and communication problem, especially when it is for one
    service. However, this method is secure.

    Another idea involves not telling the students about the PIN at all, but
    instead saving the generated PIN directly to the userstore. We then
    modify the form-fill policy to auto-fill this pre-defined value; the
    result is that the student is completely unware of the PIN as he never
    sees the login form. The problem with this is that the PIN would have
    to be stored in clear text in eDirectory. We could prevent
    non-privileged users from reading by making in non-public and making
    sure only certain trustees had permission to read it, however, I am a
    bit concerned about the security of the PIN in this case. This method is
    easier but not so secure.

    Does anyone have a suggestion as to which option is best? Or is there
    another way?

    Any advice is welcome.
    Regards
    Steve Tennant


    --
    sttennant
    ------------------------------------------------------------------------
    sttennant's Profile: https://forums.netiq.com/member.php?userid=389
    View this thread: https://forums.netiq.com/showthread.php?t=50039


  2. #2
    Edward van der Maas NNTP User

    Re: Form Fill Advice

    sttennant wrote:

    >
    > Hi,
    > We have a new print system where students can sign in using their
    > username and a 4-digit PIN code. The problem is that the PIN is
    > peculiar to this system and students do not know what it is.
    >
    > So, we can generate a PIN for each student (using an Identity Manager
    > driver for example) and send it to them by email. We then define the
    > form fill policy to use a shared secret for the PIN. The user then
    > enters the PIN first time and thereafter Access Manager remembers the
    > PIN. However, generating 25,000 PINS and emaling them to students is
    > a big admin and communication problem, especially when it is for one
    > service. However, this method is secure.
    >
    > Another idea involves not telling the students about the PIN at all,
    > but instead saving the generated PIN directly to the userstore. We
    > then modify the form-fill policy to auto-fill this pre-defined value;
    > the result is that the student is completely unware of the PIN as he
    > never sees the login form. The problem with this is that the PIN
    > would have to be stored in clear text in eDirectory. We could prevent
    > non-privileged users from reading by making in non-public and making
    > sure only certain trustees had permission to read it, however, I am a
    > bit concerned about the security of the PIN in this case. This method
    > is easier but not so secure.
    >
    > Does anyone have a suggestion as to which option is best? Or is there
    > another way?


    Is your userstore eDirectory? If so, use the secretstore instead.

    --
    Cheers,
    Edward

  3. #3
    sttennant NNTP User

    Re: Form Fill Advice


    Hi Edward,
    You are everywhere! The userstore is eDirectory, and I did think of
    using secretstore - but how do I enable this ? And why do you suggest
    this over the other option if you don't mind me asking?
    Regards


    --
    sttennant
    ------------------------------------------------------------------------
    sttennant's Profile: https://forums.netiq.com/member.php?userid=389
    View this thread: https://forums.netiq.com/showthread.php?t=50039


  4. #4
    Edward van der Maas NNTP User

    Re: Form Fill Advice

    sttennant wrote:

    >
    > Hi Edward,
    > You are everywhere! The userstore is eDirectory, and I did think of
    > using secretstore - but how do I enable this ? And why do you suggest
    > this over the other option if you don't mind me asking?
    > Regards


    Not knowing what eDir version you are on it might already be enabled or
    otherwise I believe all you have to do is extend the schema for it. On
    the IDM drivers there's an option to write stuff directory into the
    secretstore as well and as far as I understand NAM can read from it.

    I have to admit that I've never build it but I remember being on
    training many moons ago where this was one of the objectives to build.

    The secretstore was specifically designed for this kinda stuff. I have
    little experience with the encrypted attributes. From what I understand
    is that they are stored encrypted but can still be read. Probably best
    to ask more about this in the eDir forums on how it works and what
    happens when someone tries to read it.

    --
    Cheers,
    Edward

  5. #5
    sttennant NNTP User

    Re: Form Fill Advice


    edmaa;240984 Wrote:
    > sttennant wrote:
    >
    > >
    > > Hi Edward,
    > > You are everywhere! The userstore is eDirectory, and I did think of
    > > using secretstore - but how do I enable this ? And why do you

    > suggest
    > > this over the other option if you don't mind me asking?
    > > Regards

    >
    > Not knowing what eDir version you are on it might already be enabled or
    > otherwise I believe all you have to do is extend the schema for it. On
    > the IDM drivers there's an option to write stuff directory into the
    > secretstore as well and as far as I understand NAM can read from it.
    >
    > I have to admit that I've never build it but I remember being on
    > training many moons ago where this was one of the objectives to build.
    >
    > The secretstore was specifically designed for this kinda stuff. I have
    > little experience with the encrypted attributes. From what I understand
    > is that they are stored encrypted but can still be read. Probably best
    > to ask more about this in the eDir forums on how it works and what
    > happens when someone tries to read it.
    >
    > --
    > Cheers,
    > Edward

    Hi Edward,
    Interesting. I will need to find out how to enable secretstore. It is
    interesting that IDM can write directly to the secret store. So I can
    generate the PIN via IDM, and then write it to the secret store and then
    use it to form-fill. Is that the idea? If it works we could use the
    same method for other things. The only issue I have is that I am
    already using shared secrets in Access Manager but they are stored in
    the configuration store and not the userstore. How will access manager
    know to use the userstore for these new secrets storing the PIN?
    Thanks,
    Steve


    --
    sttennant
    ------------------------------------------------------------------------
    sttennant's Profile: https://forums.netiq.com/member.php?userid=389
    View this thread: https://forums.netiq.com/showthread.php?t=50039


  6. #6
    Edward van der Maas NNTP User

    Re: Form Fill Advice

    sttennant wrote:


    > Interesting. I will need to find out how to enable secretstore. It
    > is interesting that IDM can write directly to the secret store. So I
    > can generate the PIN via IDM, and then write it to the secret store
    > and then use it to form-fill. Is that the idea? If it works we
    > could use the same method for other things. The only issue I have is
    > that I am already using shared secrets in Access Manager but they are
    > stored in the configuration store and not the userstore. How will
    > access manager know to use the userstore for these new secrets
    > storing the PIN?


    I built a lab over the weekend. The IDM part is pretty straight forward
    but I dont have NAM reading the secretstore as yet.

    --
    Cheers,
    Edward

  7. #7
    sttennant NNTP User

    Re: Form Fill Advice


    edmaa;241175 Wrote:
    > sttennant wrote:
    >
    >
    > > Interesting. I will need to find out how to enable secretstore. It
    > > is interesting that IDM can write directly to the secret store. So I
    > > can generate the PIN via IDM, and then write it to the secret store
    > > and then use it to form-fill. Is that the idea? If it works we
    > > could use the same method for other things. The only issue I have is
    > > that I am already using shared secrets in Access Manager but they are
    > > stored in the configuration store and not the userstore. How will
    > > access manager know to use the userstore for these new secrets
    > > storing the PIN?

    >
    > I built a lab over the weekend. The IDM part is pretty straight forward
    > but I dont have NAM reading the secretstore as yet.
    >
    > --
    > Cheers,
    > Edward


    Hi Edward,
    The need for this has now passed, but I did get SecretStore working with
    form fill. I followed the Access Manager documentation and it worked.
    I had to configure the credential profile to use the user store for
    shared secrets. The form fill created secrets as named but with the
    prefix "Cred-SS." or something like that, in the user store (i.e.
    eDirectory).
    Thanks for your help. I am always amazed at what you can do with
    NetIQ/Novell products and this forum is so useful.
    Kindest Regards
    Steve


    --
    sttennant
    ------------------------------------------------------------------------
    sttennant's Profile: https://forums.netiq.com/member.php?userid=389
    View this thread: https://forums.netiq.com/showthread.php?t=50039


  8. #8
    rtruscot NNTP User

    Re: Form Fill Advice


    sttennant;240872 Wrote:
    > Hi,
    > We have a new print system where students can sign in using their
    > username and a 4-digit PIN code. The problem is that the PIN is
    > peculiar to this system and students do not know what it is.
    >
    > So, we can generate a PIN for each student (using an Identity Manager
    > driver for example) and send it to them by email. We then define the
    > form fill policy to use a shared secret for the PIN. The user then
    > enters the PIN first time and thereafter Access Manager remembers the
    > PIN. However, generating 25,000 PINS and emaling them to students is a
    > big admin and communication problem, especially when it is for one
    > service. However, this method is secure.
    >
    > Another idea involves not telling the students about the PIN at all, but
    > instead saving the generated PIN directly to the userstore. We then
    > modify the form-fill policy to auto-fill this pre-defined value; the
    > result is that the student is completely unware of the PIN as he never
    > sees the login form. The problem with this is that the PIN would have
    > to be stored in clear text in eDirectory. We could prevent
    > non-privileged users from reading by making in non-public and making
    > sure only certain trustees had permission to read it, however, I am a
    > bit concerned about the security of the PIN in this case. This method is
    > easier but not so secure.
    >
    > Does anyone have a suggestion as to which option is best? Or is there
    > another way?
    >
    > Any advice is welcome.
    > Regards
    > Steve Tennant


    Hi Steve,

    You can use the second method and encrypt the attribute in eDirectory.
    Check out the eDir doco here: http://tinyurl.com/nusavzw

    Though having said that you would still require to have the correct
    trustee assignments in place. You may need to look at some inherited
    rights filters if you want to block specific admin access to the
    attributes.


    --
    rtruscot
    ------------------------------------------------------------------------
    rtruscot's Profile: https://forums.netiq.com/member.php?userid=293
    View this thread: https://forums.netiq.com/showthread.php?t=50039


  9. #9
    sttennant NNTP User

    Re: Form Fill Advice


    rtruscot;240898 Wrote:
    > Hi Steve,
    >
    > You can use the second method and encrypt the attribute in eDirectory.
    > Check out the eDir doco here: http://tinyurl.com/nusavzw
    >
    > Though having said that you would still require to have the correct
    > trustee assignments in place. You may need to look at some inherited
    > rights filters if you want to block specific admin access to the
    > attributes.


    Hi,
    I read about encrypted attributes but I am not sure I fully understand
    them. You can still read them using LDAP/SSL so they are still
    vulnerable aren't they?. The documentation is a bit confusing. I like
    the idea of IRFs - this is essential - but how do I make sure that the
    admin user can still read this attribute?
    Thanks
    Steve


    --
    sttennant
    ------------------------------------------------------------------------
    sttennant's Profile: https://forums.netiq.com/member.php?userid=389
    View this thread: https://forums.netiq.com/showthread.php?t=50039


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •