Kerberos vs. LDAP for authentication -- any opinions?

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Wed Jan 28 16:20:00 EST 2004 

Harry, others,

The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited.

I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user.

I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ?

LDAP server for user authentication
- can be used to store password + other information about users.
- useful for simple user authentication requirements where checking of password is all that is required.

Kerberos for user authentication
- uses security credentials which have a lifetime - LDAP does not have this capability
- built in prevention from network replay attacks and protect against other network security concerns - LDAP does not protect against these issues
- removes the need to pass any form of password across a network - LDAP requires password transmission
- A protocol that alows support for userid/password, token card, smart card authentication and other forms of user authentication - LDAP is only suited to userid/password
- works well in a client/server and multi-tier environment especially when using credential delegation or impersonation
- can be used to setup a security context between application components on the network - LDAP cannot be used for this.
- provide mutual authentication, integrity, confidentiality services - LDAP does not do any of these
- makes single signon easy, especially since Microsoft Active Directory does the Kerberos authentication when a user logs onto a MS network
- works well in a heterogeneous environment
- supported and utilised by a growing number of application vendors and standards
- a strategic protocol in many ways because of having many uses - it can even be used very effectively to allow an unattended application to authenticate itself to another application (e.g. ftp -> ftpd).

Thanks, Tim.

-----Original Message-----
From: Harry Le [mailto:sahung at rogers.com] 
Sent: 28 January 2004 19:30
To: kerberos at mit.edu
Subject: RE: Kerberos vs. LDAP for authentication -- any opinions?


Not entirely true.  

Most LDAP servers now support the SASL/GSSAPI mechanism.   It uses Kerberos
V5 credentials to authenticate users against LDAP directories.  This will not require users to change passwords.  For data privacy, use SSL.

Joseph

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Jeffrey Altman
Sent: Wednesday, January 28, 2004 11:19 AM
To: kerberos at mit.edu
Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?

LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network.  Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP.

To me this approach is unacceptable.


cyberp70 at yahoo.com wrote:
> At the risk of starting a religious war....
> 
> We currently use Kerberos for authentication for almost everything on 
> our network.  Some people here are advocating switching to using LDAP 
> for authentication (we already have a pretty well developed LDAP 
> infrastructure).  This would of course require everyone to change 
> their password as well the trauma of recoding applications that 
> currently use Kerberos and haven't been converted to using PAM.
> 
> Anyone have any pointers to information about the relative merits of 
> using Kerberos or LDAP for authentication in a large heterogeneous 
> environment?
> 
> Any info is, of course, greatly appreciated.
> 
> - C
> 
> --
> Email:  cyberp70 at yahoo.com
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list