RE: LDAP and Kerberos?

["Melson, Paul" <PMelson () sequoianet com>]

> -----Original Message-----
> We've been having a discussion here recently about priorities for 
> deploying LDAP authentication across a few Linux boxen and 
> associated web 
> applications spread from coast to coast.  One of the folks 
> involved is a 
> fan of Kerberos and feels that in addition to the 
> already-agreed-upon LDAP 
> over SSL that we should have Kerberos handle the 
> authentication to give 
> single sign-on capabilities.  This sounds nice in theory, but 
> I'm wary to 
> slow down moving to LDAP authentication.  The web apps don't support 
> Kerberos so we know we're going to authenticate those across LDAP.

I'm not sure you've given enough information about your back end
architecture to say for sure, but if it were mine to do, knowing that
Kerberos wasn't going to work for everything I was attempting to
authenticate, I'd probably leave it out.  Here's why:

1. If you plan to use SSL certificate-based authentication as well as
encryption, then you're getting one of the big advantages Kerberos has
over LDAP - mutual client-server authentication.  

2. Administrative overhead will likely be a killer.  I see independently
maintained LDAP containers and Kerberos zones, and therefore group
memberships, in your future (or the future of the unlucky person forced
to admin this setup).  

Maybe somebody on the list is aware of a slick package for Linux that
integrates LDAP and Kerberos which would save the day, but otherwise I
think you'd be doing a lot of extra work for maybe not so much security
gain.


> Does anyone have any experiences with doing LDAP and Kerberos 
> together?

Everybody who has deployed Microsoft Active Directory, only many of them
don't know it. :)

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards