LDAP KDB

g.w@hurderos.org g.w at hurderos.org
Wed Jan 24 12:05:42 EST 2007 

On Jan 24,  9:09am, matt.smith at uconn.edu wrote:
} Subject: Re: LDAP KDB

Good morning to everyone, hope your respective days are going well.

>   Along the same lines, I find my comfort level much higher using
> MIT Kerberos as a security mechanism, and separately OpenLDAP (or
> any LDAP) as a directory server.  Using a large piece of software
> originally designed, built, and optimized for directory services as
> a security mechanism seems dangerous to me, compared with using
> software designed, built, and optimized from the ground up as a
> security mechanism.

My thoughts on this are well known.

In fact the majority of our work on authorization has focused on the
premise of how to maintain security of authorization information in
the event of a directory compromise.

Stuffing authentication secrets into a directory immediately places
the LDAP directory as a central component of the TCB of the
organization.  Beyond physical security of the servers and data it
also raises significant issues with respect to access controls on who
is allowed to update the server and when.

Anyone who takes this issue lightly should do a bit of research on
what type of remediative action action is justfied/required in the
event of a full compromise of an organization's authentication secrets
requires.

>   However, conversely, I would love to see a LDAP replacement for
> the kadmin protocol.  I am not looking for an LDAP implementation
> worthy of being called a true directory server, but rather simply a
> GSSAPI authenticated, TLS protected, LDAP enabled interface for
> adding/removing/managing users/acls/policies within the existing
> Kerberos database.
>
>   I pondered a back-kadmin for OpenLDAP for a while, but my C skills
> are rather rusty.  Has anyone else considered this path, or is it
> just a bad idea?

We have been putzing around with this a bit.  In my opinion, FWIW, the
community would have been better served by the resources spent on the
LDAP back-end being focused on this alternative.

> Just my $0.03,
> -Matt

My opinions have only averaged about $0.02 return.

Best wishes for a productive remainder of the week.

}-- End of excerpt from matt.smith at uconn.edu

As always,
Greg

------------------------------------------------------------------------------
			 The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

"Prioritization is a favorite management buzzword.  What it really means
is stuff that isn't going to get done."
                                -- C.J. Peters, MD
                                   Chief, Special Pathogens Branch, CDC.

More information about the Kerberos mailing list