Kerberos vs. LDAP for authentication -- any opinions?
Jeffrey I. Schiller
jis at MIT.EDU
Wed Jan 28 16:15:02 EST 2004
Let me try to explain this another way...
General rule: Your password should only be accessible to a trusted computer.
There are three computers in a potential transaction.
1. The Client Computer -- Trusted
2. The KDC/LDAP Server -- Trusted
3. The Server -- UNTRUSTED
When using Kerberos you enter your password into your (trusted)
client. It performs a transaction with the server which permits the
server to authenticate you. However the server never gets your
password, so it doesn't have to be trusted to not abuse it.
With LDAP you authenticate to the server by sending the server your
username and password (hopefully over a secure or encrypted path). The
Server then supplies your username and password to the LDAP server
(again, hopefully over a secure or encrypted path). The LDAP server
then returns to the server whether or not the username/password pair
were valid. In this scenario the SERVER has access to the unencrypted
user password. If it is not trusted, then it might steal it. This is
why LDAP isn't a good solution for authentication.
In many cases client computers are necessarily trusted (like my
laptop, which I own and control). One must necessarily trust the
authentication server, whether it is a Kerberos KDC or an LDAP
server. However it is often the case that you don't want to have to
trust the server. Here Kerberos wins and LDAP loses.
-Jeff
More information about the Kerberos
mailing list