NEWBIE Question: Kerberos and LDAP

Brian Davidson bdavids1 at gmu.edu
Wed May 21 18:56:08 EDT 2003


I would suggest looking to do the opposite of what you're talking 
about..  Kerberos was designed to be a very secure authentication 
system, while LDAP was not designed to be an authentication system 
(which is not to say that it won't work, but that wasn't the driving 
motivation behind it).  Depending on the LDAP server, you can probably 
set it up to authenticate against a Kerberos realm.

Some applications only use "LDAP Authentication", and won't do 
Kerberos, so you are then able to still use them (if they don't 
authenticate over SSL, I would recommend picking a different app 
though, as plain text passwords over the network suck).

On UNIX systems, you can use nsswitch to use LDAP for authorization and 
Kerberos for authentication (I'm assuming you're familiar with the 
difference between authentication and authorization).  Even Microsoft 
supports authenticating against a non-microsoft realm (although to get 
real functionality you still need a mostly empty Microsoft KDC that 
trusts your real realm).

Brian Davidson
George Mason University

On Wednesday, May 21, 2003, at 04:42 PM, Rob Tanner wrote:

> Hi,
>
> I'm an absolute newbie to kerberos trying to see how to fir it into our
> network and existing authentication schemes.  Currently, LDAP 
> represents
> the backend store for all passwords and users are authenticated against
> the LDAP server. 



More information about the Kerberos mailing list