Kerberos vs. LDAP for authentication -- any opinions?
wang, ye
wang_ye at emc.com
Wed Jan 28 15:59:07 EST 2004
Normally, it is not allowed client user to modify password, but LDAP server
login admin user will be able to do it. Actually, LDAP server is an
authentication service provider.
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Harry Le
Sent: Wednesday, January 28, 2004 2:30 PM
To: kerberos at mit.edu
Subject: RE: Kerberos vs. LDAP for authentication -- any opinions?
Not entirely true.
Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos
V5 credentials to authenticate users against LDAP directories. This will
not require users to change passwords. For data privacy, use SSL.
Joseph
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Jeffrey Altman
Sent: Wednesday, January 28, 2004 11:19 AM
To: kerberos at mit.edu
Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames and
passwords which is accessible over the network. Your users must then
transmit said usernames and passwords across the network to a potentially
compromised machine in order for them to be validated against the copies
stored in LDAP.
To me this approach is unacceptable.
cyberp70 at yahoo.com wrote:
> At the risk of starting a religious war....
>
> We currently use Kerberos for authentication for almost everything on
> our network. Some people here are advocating switching to using LDAP
> for authentication (we already have a pretty well developed LDAP
> infrastructure). This would of course require everyone to change
> their password as well the trauma of recoding applications that
> currently use Kerberos and haven't been converted to using PAM.
>
> Anyone have any pointers to information about the relative merits of
> using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
>
> Any info is, of course, greatly appreciated.
>
> - C
>
> --
> Email: cyberp70 at yahoo.com
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list