Kerberos vs. LDAP for authentication -- any opinions?

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Thu Jan 29 11:53:16 EST 2004 

Peter,

Thankyou for the explanation. I was trying to keep my answer relatively simple to avoid any unnecessary technical detail and hence over complicate the answer to the original question asked.

Anyway, Kerberos is useful for more than just SSO (or SSSO) when comparing with LDAP, this is why I provided a long list of differences in my email. In fact LDAP and Kerberos are complimentary and not competitive technologies.

Thanks, Tim. 

-----Original Message-----
From: Peter Gietz [mailto:peter.gietz at daasi.de] 
Sent: 29 January 2004 16:58
To: Tim Alsop
Cc: Harry Le; kerberos at mit.edu
Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?

Tim,

Your view on LDAP may be a little too simplified.

There is a whole variety of authentication mechanisms that you can use within LDAP, userdn/cleartext password (=simple bind) being only the most useless and unrecommended by the standards.

The minimal recomendation is to use that simple bind within a TLS encrypted session, but there are other mechanisms  in LDAP implementations which all use the SASL framewrk. The IMHO most important SASL mechanism are:

- DIGEST MD5 a challenge response mechanism, where the actual password will not be sent through the net. This is also mandatory to implement in standard conforming LDAP

- GSSAPI using the Kerberos 5 mechanism, which was allready mentioned in this thread, and is implemented in at least some LDAP implementations, like OpenLDAP.

Any other SASL mechanisms could also be used, e.g. SASL EXTERNAL, which can use client certificate based strong authentication, allready established in lower layers, like TLS

What I want to say is that LDAP can well be and is being used as authentication infrastructure. The main advantage of  Kerberos is its SSO functionality. But again with GSSAPI/KRB5 you can integrate that in an LDAP authentication infrastructure as well. The advantage of LDAP is IMO that it can be used for more than authentication, e.g. 
authorization, contact data information system, certificate server, etc. 
etc.

Cheers,

Peter


Tim Alsop wrote:

>Harry, others,
>
>The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited.
>
>I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user.
>
>I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ?
>
>LDAP server for user authentication
>- can be used to store password + other information about users.
>- useful for simple user authentication requirements where checking of password is all that is required.
>
>Kerberos for user authentication
>- uses security credentials which have a lifetime - LDAP does not have 
>this capability
>- built in prevention from network replay attacks and protect against 
>other network security concerns - LDAP does not protect against these 
>issues
>- removes the need to pass any form of password across a network - LDAP 
>requires password transmission
>- A protocol that alows support for userid/password, token card, smart 
>card authentication and other forms of user authentication - LDAP is 
>only suited to userid/password
>- works well in a client/server and multi-tier environment especially 
>when using credential delegation or impersonation
>- can be used to setup a security context between application components on the network - LDAP cannot be used for this.
>- provide mutual authentication, integrity, confidentiality services - 
>LDAP does not do any of these
>- makes single signon easy, especially since Microsoft Active Directory 
>does the Kerberos authentication when a user logs onto a MS network
>- works well in a heterogeneous environment
>- supported and utilised by a growing number of application vendors and 
>standards
>- a strategic protocol in many ways because of having many uses - it can even be used very effectively to allow an unattended application to authenticate itself to another application (e.g. ftp -> ftpd).
>
>Thanks, Tim.
>
>-----Original Message-----
>From: Harry Le [mailto:sahung at rogers.com]
>Sent: 28 January 2004 19:30
>To: kerberos at mit.edu
>Subject: RE: Kerberos vs. LDAP for authentication -- any opinions?
>
>
>Not entirely true.  
>
>Most LDAP servers now support the SASL/GSSAPI mechanism.   It uses Kerberos
>V5 credentials to authenticate users against LDAP directories.  This will not require users to change passwords.  For data privacy, use SSL.
>
>Joseph
>
>-----Original Message-----
>From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On 
>Behalf Of Jeffrey Altman
>Sent: Wednesday, January 28, 2004 11:19 AM
>To: kerberos at mit.edu
>Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
>
>LDAP is not an authentication infrastructure.
>All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network.  Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP.
>
>To me this approach is unacceptable.
>
>
>cyberp70 at yahoo.com wrote:
>  
>
>>At the risk of starting a religious war....
>>
>>We currently use Kerberos for authentication for almost everything on 
>>our network.  Some people here are advocating switching to using LDAP 
>>for authentication (we already have a pretty well developed LDAP 
>>infrastructure).  This would of course require everyone to change 
>>their password as well the trauma of recoding applications that 
>>currently use Kerberos and haven't been converted to using PAM.
>>
>>Anyone have any pointers to information about the relative merits of 
>>using Kerberos or LDAP for authentication in a large heterogeneous 
>>environment?
>>
>>Any info is, of course, greatly appreciated.
>>
>>- C
>>
>>--
>>Email:  cyberp70 at yahoo.com
>>    
>>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>


--
_______________________________________________________________________

Peter Gietz (CEO)
DAASI International GmbH                phone: +49 7071 2970336
Wilhelmstr. 106                         Fax:   +49 7071 295114
D-72074 Tübingen                        email: peter.gietz at daasi.de
Germany                                 Web:   www.daasi.de

Directory Applications for Advanced Security and Information Management _______________________________________________________________________

More information about the Kerberos mailing list