NEWBIE Question: Kerberos and LDAP
Brian Davidson
bdavids1 at gmu.edu
Wed May 21 18:56:08 EDT 2003
I would suggest looking to do the opposite of what you're talking
about.. Kerberos was designed to be a very secure authentication
system, while LDAP was not designed to be an authentication system
(which is not to say that it won't work, but that wasn't the driving
motivation behind it). Depending on the LDAP server, you can probably
set it up to authenticate against a Kerberos realm.
Some applications only use "LDAP Authentication", and won't do
Kerberos, so you are then able to still use them (if they don't
authenticate over SSL, I would recommend picking a different app
though, as plain text passwords over the network suck).
On UNIX systems, you can use nsswitch to use LDAP for authorization and
Kerberos for authentication (I'm assuming you're familiar with the
difference between authentication and authorization). Even Microsoft
supports authenticating against a non-microsoft realm (although to get
real functionality you still need a mostly empty Microsoft KDC that
trusts your real realm).
Brian Davidson
George Mason University
On Wednesday, May 21, 2003, at 04:42 PM, Rob Tanner wrote:
> Hi,
>
> I'm an absolute newbie to kerberos trying to see how to fir it into our
> network and existing authentication schemes. Currently, LDAP
> represents
> the backend store for all passwords and users are authenticated against
> the LDAP server.
More information about the Kerberos
mailing list