Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

OUD Design Question

Alex StanciuSep 4 2014 — edited Sep 15 2014

Hello

I've got an interesting problem that I'm trying to see if I can solve within OUD.

Company is using an internal OUD Directory for authentication to all sorts of apps. Some of these apps are available externally and are protected by an SSO solution (OAM in this case). The company uses sequential userid, for example D00000 to D999999. The problem is that a hacker could easily write a script to loop through all IDs, attempt 5 bad passwords and effectively lock everyone out.

What I'm trying to do is the following, and I'm not sure if it will work:

The external authentication app (OAM) will use the 'oblockedout' attribute to lock an account after 5 bad attempts. I'm trying to figure out a way to virtualize this attribute and somehow make the virtual one available externally, and the real 'oblocked' available internally. To further clarify what I mean by virtualizing the attribute, I would create a new real attribute called 'dmzlockedout', and the virtual 'oblockedout' would point to this. If a user is locked out through the DMZ, all it would do is set the 'dmzlockedout' attribute, which wouldn't lock them out internally. This should be straight forward enough to set up (hopefully, never tried it). The question is, how do I make the internal requests use the real oblockedout and external ones use the virtual one.


These are the two ideas I have but I need someone with more knowledge to guide with feasibility or best practice

Option A:  In the DMZ, I create a new OUD Proxy instance that points to the internal one. Can I create the virtual attribute here, applicable to a proxy? Would this work?


Option B: Using only the internal OUD, I create a 2nd LDAP connection handler on a new port, point this to a different network-group that uses the same database, and I add the virtual attribute to this network group. I then point my DMZ OAM to this new port. Would this work?


To me, Option B seems the simplest with the least overheard, but I'm not sure if everything I understand about connection handlers/networkgroups/virtual attributes would make this a viable option.


Thoughts? Is there a better way still to handle this problem? Any advice would be very appreciated


Thank you


Alex

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Oct 13 2014
Added on Sep 4 2014
#identity-management, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
7 comments
2,565 views