PPTP / L2TP with Kerberos -- what specs does it follow?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sun Nov 30 14:28:51 EST 2014
>Kerberos is not a complete identity solution. You would also need to
>expose the LDAP p[ao]rt which parcels out a few user attributes (name,
>email, something like an SID or UID/GID...) Otherwise you have to
>synchronize two pieces of an identity solution run by two different
>organizations/people.
That is NOT true.
I'm just talking about the Kerberos portion, of course, but Kerberos _clients_
do not need access to LDAP. Depending what you're doing on the application
server side, yes, I can see that. But I know plenty of people (including
us) who have their KDCs Internet-accessible without exposing their LDAP
servers to the Internet.
The specific implementation of Active Directory may require LDAP (or
other protocol) access for Windows clients, but it is important to note
that this is NOT a requirement for the Kerberos protocol in general.
--Ken
More information about the Kerberos
mailing list