Connecting the world…

SecurID

RSA LDAP query failed

While configuring a LDAP mapping for a RSA Authentication Manager 6.1 with an Active Directory Domain Controller, I received the following error while running the Synchronisation task

c:\RSA\prog\sdldapsync.exe -j 102

“[LDAP search] Search failed (check Base DN)”

At first I thought about a typo while configuring the Synchronisation task. To test the LDAP connection with the domain controller I installed Softerra’s LDAP Browser. With this tool the LDAP connection is working perfectly when using the same credentials, BaseDN and LDAP Query Filter.

After searching the internet I found the MaxPageSize issue in Windows. I reported the same issue in a blog about eSafe and LDAP. When running the sdaceldap command you can see that the MaxPageSize is reached by the LDAP query.

Correct usage: sdaceldap <-h hostname> <-p port> [-b basedn] [-s scope] [-d import|compare] [-o output file] [-m schema map file] <-D binddn -w passwd> <-Z -P path> filter

 

C:\RSA\utils\toolkit>sdaceldap.exe -h 10.1.1.100 -p 389 -b ou=Users,dc=booches,=nl -s sub -d import -o AD_Users.csv -m active.map -D SA_LDAP@booches.nl -w LDAP_passwd “objectclass=user”

 

Host: 10.1.1.100
Port: 389
Distinguished Name: ou=Users,dc=booches,dc=nl

Scope: sub
Mode: import
Output Filename: AD_Users.csv
Mapfile: active.map
Bind: SA_LDAP@booches.nl
Filter: objectclass=user

Starting Import:

ldap_search_s Sizelimit exceeded

The output shows that the Sizelimit is exceeded. I find a tool on the internet which can be used to retrieve the MaxPageSize from a Windows machine. This tool is called AdFind.

Executing this tool on the Domain Controller tells me the MaxPageSize is set to 2000.

c:>adfind -e -config -f “&(objectcategory=querypolicy)(name=default quer
y policy)” ldapadminlimits

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc01.booches.nl:389
Directory: Windows Server 2003
Base DN: CN=Configuration,DC=booches,DC=nl

dn:CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,
CN=Services,CN=Configuration,DC=booches,DC=nl
>lDAPAdminLimits: MaxPageSize=2000
>lDAPAdminLimits: MaxReceiveBuffer=10485760
>lDAPAdminLimits: MaxDatagramRecv=1024
>lDAPAdminLimits: MaxPoolThreads=4
>lDAPAdminLimits: MaxResultSetSize=262144
>lDAPAdminLimits: MaxTempTableSize=10000
>lDAPAdminLimits: MaxQueryDuration=120
>lDAPAdminLimits: MaxNotificationPerConn=5
>lDAPAdminLimits: MaxConnIdleTime=900
>lDAPAdminLimits: InitRecvTimeout=120
>lDAPAdminLimits: MaxConnections=5000

1 Objects returned

To minimize the number of objects that are returned in a single search I configured a LDAP Query Filter, which is shown below:

(&(&(&(objectClass=user)(objectClass=person))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(!(objectClass=computer)))

or the equivalent

(&(objectClass=user)(objectClass=person)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectClass=computer))

This query has the following properties. The object should have the objectClasses user AND person AND the account should NOT be disabled AND should not contain the objectClass computer. This already excludes some objects, like workstations and servers.

More information about the MaxPageSize and the way to change the value can be found here. More information about Limiting LDAP Searches with MaxPageSize can be found here.

ID Control

Ictivity received via via an e-mail about strong authentication products from ID Control. Strong authentication is authentication were you need multiple factors (what you have, what you know, what you are) to actual authenticate to a system, network or something else. We, as Connectivity Consultant, were asked to look at the different products and start a discussion about these products. Are they interesting for us or some of our customers??

The main focus is on three different authentication products. In this post you can read MY OPINION about the three different authentication items.

HandyID

HandyID is the leading mobile authentication method which provides a One Time Password (OTP) token-based, two-factor authentication solution on your mobile phone (handy), PDA, Blackberry and/or smart phone. HandyID turns your mobile device into a hardware token enabling a cost-effective, easy, convenient and user-friendly strong authentication solution for online banking, government and ecommerce. In combination with ID Control Server the set up and deployment is easy and fast.

Reading the text above I am thinking what HandyID brings extra in comparison to tokens like the ones from RSA. In my opinion I only see disadvantages. According to ID Control, you can use HandyID on every mobile device. I will not run it on my device, because the Nokia I am using isn’t that stable. I see crashing mobile phones, mobile phones with empty batteries and no charger nearby. I see incompatibilities with some tropical applications. In general, I like the concept of HandyID, but I would prefer a decent token from RSA (RSA SecurID).

KeystrokeID

KeystrokeID is the biometric solution based on behaviour traits that are acquired over a certain time period the user is typing on his or her keyboard (versus a physiological characteristic or physical trait). KeystrokeID monitors and analyses all keyboard behaviour performed by the user during his/her access. Based on this keystroke behaviour performed in comparison to the user’s normal behaviour access is granted when this user is also authorized.

Huh?? So reading this, the keyboard is learning the way you type and grants you access on that process. Sounds cool, but again I see a lot of customers having problems accessing the stuff they would like to access. I can image that KeystrokeID would work for a private secretary who finds the keys blindly on the keyboard, but what about people who cannot type that well and what when you are typing at night in bed, without decent light. I guess you won’t type the same as during normal day time. Summarizing, I would advise OUR customers to use KeystrokeID, because I THINK that the product brings more authentication problems than solving authentication problems.

USB Token

ID Control’s USB Token is a portable end-user authentication token that can replace user name and password for workstation, website, VPN, file, email, network, file and/or disk access security. ID Control USB Token plugs into any standard USB port and can even run without any software.

After reading the documentation about USB Token, I definitely imagine advising USB Token to customers and even use one for my own. The USB Tokens ease of use looks really better in comparison to smart-cards or biometrics. Nowadays USB keys are common usage and the price for USB keys won’t be that high. Another advantage of the USB Token is that you only need an enabled USB port on a workstation and that’s it. For smart-cards and biometrics, you normally need extra equipment before you can actually use the smart-cards.

The USB Token can be used for different reasons like Secure VPN Authentication, File and Disk Encryption, Web (Application) Sign-on, Secure Password Manager, Computer and Network Sign-on, Email Encryption & Signing and PKI. I would definitely use the USB Token for File and Disk Encryption and Secure Password Manager. In my line of work and our customers, I can also imagine using the USB Token for Secure VPN Authentication.