KDC Hardware
Turbo Fredriksson
turbo at bayour.com
Mon Jan 9 06:43:14 EST 2006
Quoting Nicolas Williams <Nicolas.Williams at sun.com>:
> On Sun, Jan 08, 2006 at 01:04:08PM +0100, Turbo Fredriksson wrote:
>> The LDAP server is nowhere NEAR as important. If they crack that,
>> all they'll get is ... what, nothing basically?
>
> Depends on who's relying on the LDAP server and for what.
>
> If important systems are using LDAP for user information like, say, UID,
> group memberships, and so on, well, then your LDAP server is practically
> as important as your KDC (losing a KDC would still be worse, primarily
> because re-keying an entire realm is painful).
Exactly, that was what I was assuming. _I_ use it with my mail system
_as well_, but not everyone/that many (?) use it that way. So _my_ LDAP server is
'almost' more important than the KDC. I don't have that many users (<50), and
I know them in person, so recreating a KDC wouldn't be THAT much job for me.
But recreating the LDAP database with all information would be 'almost impossible'.
But if the LDAP server is 'only' used for authorization (uid/gid/home etc);
which most users use it as when using Kerberos (?) then it's _just slightly_
less important than the KDC..
In such a case, recreating the LDAP server can be scripted but recreating
a KDC would be a SERIOUS pain.
So as I see it, LDAP and Kerberos (should) have the same weight regarding
security...
More information about the Kerberos
mailing list