Kerberos vs. LDAP for authentication -- any opinions?
Kevin Coffman
kwc at citi.umich.edu
Wed Jan 28 16:35:55 EST 2004
But it does require you to send your password (over SSL) to the LDAP server
which then uses SASL/GSSAPI to verify the password? Isn't that how this
works, or am I missing something?
K.C.
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Harry Le
Sent: Wednesday, January 28, 2004 2:30 PM
To: kerberos at mit.edu
Subject: RE: Kerberos vs. LDAP for authentication -- any opinions?
Not entirely true.
Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos
V5 credentials to authenticate users against LDAP directories. This will
not require users to change passwords. For data privacy, use SSL.
Joseph
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Jeffrey Altman
Sent: Wednesday, January 28, 2004 11:19 AM
To: kerberos at mit.edu
Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames
and passwords which is accessible over the network. Your users
must then transmit said usernames and passwords across the network
to a potentially compromised machine in order for them to be validated
against the copies stored in LDAP.
To me this approach is unacceptable.
cyberp70 at yahoo.com wrote:
> At the risk of starting a religious war....
>
> We currently use Kerberos for authentication for almost everything
> on our network. Some people here are advocating switching to using
> LDAP for authentication (we already have a pretty well developed LDAP
> infrastructure). This would of course require everyone to change
> their password as well the trauma of recoding applications that
> currently use Kerberos and haven't been converted to using PAM.
>
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
>
> Any info is, of course, greatly appreciated.
>
> - C
>
> --
> Email: cyberp70 at yahoo.com
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list