Kerberos vs. LDAP for authentication -- any opinions?
Douglas E. Engert
deengert at anl.gov
Thu Jan 29 09:45:27 EST 2004
cyberp70 at yahoo.com wrote:
>
> At the risk of starting a religious war....
>
> We currently use Kerberos for authentication for almost everything
> on our network. Some people here are advocating switching to using
> LDAP for authentication (we already have a pretty well developed LDAP
> infrastructure). This would of course require everyone to change
> their password as well the trauma of recoding applications that
> currently use Kerberos and haven't been converted to using PAM.
What is the real situation.
Are these people application developers who find it easier to just
ask for a user and password then call LDAP?
Are they looking at the lack of Kerberos in the browser, and so
find the easiest way is to just prompt for a user and password?
Are they application developers who want additional authorization data
which is store in LDAP which Kerberos can not provide?
Many of the Browser issues can be addressed by Kx509 from the
Univrsity of Michigan. It can obtain a short term X509 certificate
using Kerberos for authenticaiton. The certificate and key are then
stored so the browser can use it with SSL to any web server. It works
with IE and Netscape on Windows. It runs on UNIX and Mac as well.
http://www.citi.umich.edu/projects/kerb_pki/
Once authenticated, LDAP can still be used for authorization data.
>
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
>
> Any info is, of course, greatly appreciated.
>
> - C
>
> --
> Email: cyberp70 at yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list