Firewall Wizards mailing list archives
RE: LDAP and Kerberos?
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 20 Sep 2004 09:59:39 -0400
-----Original Message----- We've been having a discussion here recently about priorities for deploying LDAP authentication across a few Linux boxen and associated web applications spread from coast to coast. One of the folks involved is a fan of Kerberos and feels that in addition to the already-agreed-upon LDAP over SSL that we should have Kerberos handle the authentication to give single sign-on capabilities. This sounds nice in theory, but I'm wary to slow down moving to LDAP authentication. The web apps don't support Kerberos so we know we're going to authenticate those across LDAP.
I'm not sure you've given enough information about your back end architecture to say for sure, but if it were mine to do, knowing that Kerberos wasn't going to work for everything I was attempting to authenticate, I'd probably leave it out. Here's why: 1. If you plan to use SSL certificate-based authentication as well as encryption, then you're getting one of the big advantages Kerberos has over LDAP - mutual client-server authentication. 2. Administrative overhead will likely be a killer. I see independently maintained LDAP containers and Kerberos zones, and therefore group memberships, in your future (or the future of the unlucky person forced to admin this setup). Maybe somebody on the list is aware of a slick package for Linux that integrates LDAP and Kerberos which would save the day, but otherwise I think you'd be doing a lot of extra work for maybe not so much security gain.
Does anyone have any experiences with doing LDAP and Kerberos together?
Everybody who has deployed Microsoft Active Directory, only many of them don't know it. :) PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- LDAP and Kerberos? Christopher Hicks (Sep 17)
- <Possible follow-ups>
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- Re: LDAP and Kerberos? ArkanoiD (Sep 22)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- Re: LDAP and Kerberos? Mason Schmitt (Sep 27)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)