Kerberos vs. LDAP for authentication -- any opinions?

Harry Le sahung at rogers.com
Wed Jan 28 14:30:23 EST 2004


Not entirely true.  

Most LDAP servers now support the SASL/GSSAPI mechanism.   It uses Kerberos
V5 credentials to authenticate users against LDAP directories.  This will
not require users to change passwords.  For data privacy, use SSL.

Joseph

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Jeffrey Altman
Sent: Wednesday, January 28, 2004 11:19 AM
To: kerberos at mit.edu
Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?

LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames
and passwords which is accessible over the network.  Your users
must then transmit said usernames and passwords across the network
to a potentially compromised machine in order for them to be validated
against the copies stored in LDAP.

To me this approach is unacceptable.


cyberp70 at yahoo.com wrote:
> At the risk of starting a religious war....
> 
> We currently use Kerberos for authentication for almost everything
> on our network.  Some people here are advocating switching to using
> LDAP for authentication (we already have a pretty well developed LDAP
> infrastructure).  This would of course require everyone to change
> their password as well the trauma of recoding applications that
> currently use Kerberos and haven't been converted to using PAM.
> 
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
> 
> Any info is, of course, greatly appreciated.
> 
> - C
> 
> --
> Email:  cyberp70 at yahoo.com
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list