kerberos vs ldap

Edward Murrell edward at murrell.co.nz
Mon Mar 24 20:52:25 EDT 2008 

> Can anyone explain to me whats the relation between LDAP vs Kerberos

(The longer explanation)

Authentication is the process of proving who you are. But, just because I
can prove I'm who I say I am via a drivers licence, doesn't mean I'm
getting into the club. "Your name isn't on the list."

Kerberos is a (secure) authentication mechanism. It is used to prove that
a user talking to a server (for an example, an email server), that a user
is who they say they are.

It also works in reverse, it proves that a server is the server the user
intended to talk to, so that if the communication process is disrupted or
diverted., the user and the server will know.

LDAP is a directory service. It used to store and lookup public
(relatively speaking) information on an object (which may be a person, a
user group, a computer, a printer, or many other things) such as phone
numbers, email addresses, the full name of a person, physical locations,
address, group members, and so on.

Because the administrator may wish to control access to various pieces of
information in the LDAP store (for example, home address of employees), it
is necessary to have an authentication mechanism of some kind. Kerberos
can and is used for this purpose using GSSAPI, but often the the built in
'Simple Authentication' mechanism is used.

Since LDAP has to do authentication for itself, it can provide this
service for other things, such as our hypothetical email service. However,
this may be in plain text (ie; the network traffic can be sniffed), nor
does it provide 'Single Sign On' so the user would have to keep typing in
their password (or store it in plain text on the disk of the machine), and
it provides no way for the server to prove to the user if it really is the
server it says it is.

So; Kerberos is secure two-way authentication. LDAP is a store of
information that can provide one way, possibly secure authentication.

Confused yet? :)

The common relationship is that Kerberos is used to provide authentication
for a user/server, and LDAP is used to retrieve information ABOUT that
user.

Cheers,
Edward

More information about the Kerberos mailing list