Active Directory

[Dmitri Pal]

On 12/07/2013 12:24 AM, Scott Arciszewski wrote:
> Quick question,
>
> I'm developing some applications that use LDAP to authenticate users (it's
> a corporate environment). However, I do not have admin access to the server
> that hosts LDAP and thus cannot examine the hashes, so I've been doing some
> reading and talking with other devs about this... but I've reached a dead
> end.
>
> Here's what I know: AD used to use LM hashes, they migrated to Kerberos a
> while back. I cannot for the life of me find out if they still store hashes
> on the server, because Microsoft's documentation is equal parts
> labyrinthine and sparse.
>
> Questions:
> Does Kerberos mitigate the need to store hashes in a database, registry, or
> filesystem?
> If not, how does Kerberos stack up to a password-hashing scheme like PBKDF2
> or scrypt? (A quick glance at the Github page reveals that DES is still
> allowed, but deprecated.)
> How well do the Kerberos maintainers believe Microsoft implemented the
> protocol for Active Directory?
>
> Thanks for your time, if you don't have time to write out an answer but
> know of links to refer to me to, I'd greatly appreciate the help!
>
> Scott
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

It looks like you are trying to use Kerberos with AD.
A more detailed use case would be better to understand your goal and
limitations.
AD uses Kerberos too so it is not clear what exactly you are trying to
accomplish with using Kerberos with AD as a LDAP source.
There are solutions that allow you to have a Kerberos server to serve
your infrastructure while syncing data from AD or leveraging a trust
with AD.
Have you looked at freeIPA? 
http://www.freeipa.org/page/IPAv3_testing_AD_trust

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/