[Deploying Sakai] AD, LDAP, and security

Paul Gibbs pgibbsjr at hotmail.com
Tue Sep 22 06:10:47 PDT 2009

Faithful to their jobs, our network admin is uncomfortable with the idea of opening up Active Directory to Sakai via LDAPS. Does anyone here have any thoughts on the risks of using LDAP/SSL with Sakai? I know many of you are running AD/LDAPS in your environments and are doing so securely. Obviously this is more about threat reduction vs. threat elimination, but what steps should we take to provide as secure an environment as possible?

Currently, I am running Sakai behind Apache mod_proxy (on the same server), which is itself behind a commercial firewall (on the network). Apache encrypts all traffic via SSL. Sakai sits in our DMZ and currently has no access to network services. If we move forward, all LDAP communication would definitely be encrypted via SSL, and only port 636 on the LDAP server would be exposed to Sakai.

>From my perspective, I guess the concern isn't so much about packet sniffing, since the entire path is locked down via SSL. The concern lies more in Sakai itself and what safeguards are built into Sakai to keep someone from installing an application on the server itself which would watch the username/password activity. We are running Debian 5 and 2.6.x.

Maybe this is a matter more about how Java handles security than it is about Linux? 

Thank you!

Paul Gibbs
Insert movie times and more without leaving Hotmail®.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20090922/d303f87b/attachment.html 

More information about the production mailing list