Kerberos vs. LDAP for authentication -- any opinions?
paul kölle
paul at subsignal.org
Mon Feb 2 07:57:23 EST 2004
Peter Gietz wrote:
> Tim,
>
> Your view on LDAP may be a little too simplified.
>
> There is a whole variety of authentication mechanisms that you can use
> within LDAP, userdn/cleartext password (=simple bind) being only the
> most useless and unrecommended by the standards.
>
> The minimal recomendation is to use that simple bind within a TLS
> encrypted session, but there are other mechanisms in LDAP
> implementations which all use the SASL framewrk. The IMHO most important
> SASL mechanism are:
>
> - DIGEST MD5 a challenge response mechanism, where the actual password
> will not be sent through the net. This is also mandatory to implement in
> standard conforming LDAP
>
> - GSSAPI using the Kerberos 5 mechanism, which was allready mentioned in
> this thread, and is implemented in at least some LDAP implementations,
> like OpenLDAP.
>
sorry, but where is the point? If you use SASL/GSSAPI, you have to
deploy kerberos right? Then the "vs." is gone and the directory is just
another kerberized recource of information. Using the abovementioned
{SASL}<cleartextpw> hack, to access kerberos passwords thru simple binds
is (like pam_krb5) a bad choice (and disabled in newer OpenLDAP
releases) since it opens your kerberos database to non-kerberized
services which send (possibly) passwords thru the net in the clear.
greetings
Paul
More information about the Kerberos
mailing list