Kerberos vs. LDAP for authentication -- any opinions?

Frank Cusack fcusack at fcusack.com
Thu Jan 29 00:40:10 EST 2004


On 28 Jan 2004 07:32:46 -0800 cyberp70 at yahoo.com wrote:
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?

I think other responses are missing the bigger picture.

You are almost certainly (I'd bet on it) not using Kerberos
authentication as $DEITY intended, ie obtaining a TGT on your local
(trusted) host then using that to get service tickets for
applications.

If you were, replacing it with LDAP would be out of the question, as
you'd lose SSO.

If that's the case, you're better off using LDAP.  You need LDAP
anyway, you said you have an established LDAP infrastructure, and it's
harder to do krb5 authentication correctly than LDAP.  Of course,
there's work involved in setting up LDAP well, but if you are using
LDAP at all, you have to do that anyway.  Better to only maintain less
infrastructure.

Ideally, you'd use real Kerberos authentication for your applications
and just use LDAP for authorization.  That's a far superior method;
see the Kerberos FAQ.

And SASL/GSSAPI has no bearing; if you're using GSSAPI you're using krb5
(for authentication).

/fc


More information about the Kerberos mailing list