Kerberos vs. LDAP for authentication -- any opinions?
Harry Le
sahung at rogers.com
Wed Jan 28 14:30:23 EST 2004
Not entirely true.
Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos
V5 credentials to authenticate users against LDAP directories. This will
not require users to change passwords. For data privacy, use SSL.
Joseph
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Jeffrey Altman
Sent: Wednesday, January 28, 2004 11:19 AM
To: kerberos at mit.edu
Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames
and passwords which is accessible over the network. Your users
must then transmit said usernames and passwords across the network
to a potentially compromised machine in order for them to be validated
against the copies stored in LDAP.
To me this approach is unacceptable.
cyberp70 at yahoo.com wrote:
> At the risk of starting a religious war....
>
> We currently use Kerberos for authentication for almost everything
> on our network. Some people here are advocating switching to using
> LDAP for authentication (we already have a pretty well developed LDAP
> infrastructure). This would of course require everyone to change
> their password as well the trauma of recoding applications that
> currently use Kerberos and haven't been converted to using PAM.
>
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
>
> Any info is, of course, greatly appreciated.
>
> - C
>
> --
> Email: cyberp70 at yahoo.com
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list