Kerberos & LDAP

Jaap Winius jwinius at umrk.nl
Sat Jan 16 22:53:28 EST 2010 

On Sat, 16 Jan 2010 08:56:22 -0500, Jason Edgecombe wrote:

> Prasad (普拉萨德) wrote:
>> I am ok that we normally use the Kerberos to keep the password and LDAP
>> is just for authorization. But then if my DNS Goes down, then no one
>> can login to the system because Kerberos is highly dependent on the DNS
>> and NTP. Thats why I am thinking of having the username and password in
>> LDAP too. ...

Although I believe it's possible to configure PAM on client systems to 
authenticate to Kerberos first and LDAP second, it would be a useless 
configuration.

That's because the only reason to add Kerberos support to LDAP is to make 
the authentication more secure, as well as to add encryption. However, if 
you also want to use LDAP authentication as a backup, then anyone 
attacking your system will simply ignore your Kerberos stuff and go 
straight to cracking your weaker LDAP security.

If you're so worried about your Kerberos or DNS service availability, 
nothing is keeping you from installing Kerberos and DNS services, as well 
as OpenLDAP, on each of your physical servers. Furthermore, so much 
depends on DNS that without it you're basically dead in the water anyway. 
The only sensible solution is just to make sure you always have 
redundancy for all of your critical services.

>> ... And for that I am looking somthing so that I can sync
>> OpenLDAP and Kerberos username and password.

I seriously doubt that this exists, since it would be a pointless 
exercise to set up a really secure system to store all of your passwords 
in (Kerberos), only to compromise that by replicating them regularly to a 
system that is much less secure. 

> If you use IP addresses in your kerberos and NTP files, then you're less
> dependent on DNS.

Another exercise in futility, because if they all use IP addresses 
instead if DNS names and the DNS service goes down, the servers might 
still be able to find each other, but what about all the clients? Or, are 
you suggesting that it's also better to go through the trouble of 
configuring all of your clients with fixed IP addresses instead of DNS 
names, just to avoid being dependent on DNS? Unless your system is very 
small, the whole reason we use stuff like DNS and DHCP is because it 
makes client configuration and maintenance so much easier. Yes, that can 
create single points of failure, but that's why we always maintain 
redundant systems. Yes, redundant systems mean more cost and complexity, 
but otherwise we have more trouble sleeping at night.

Cheers,

Jaap

More information about the Kerberos mailing list