Firewall Wizards mailing list archives
RE: LDAP and Kerberos?
From: Christopher Hicks <chicks () chicks net>
Date: Mon, 20 Sep 2004 10:09:22 -0400 (EDT)
On Mon, 20 Sep 2004, Melson, Paul wrote:
I'm not sure you've given enough information about your back end architecture to say for sure,
I'm not sure what else to say about the architecture. I'll be happy to answer any questions though.
but if it were mine to do, knowing that Kerberos wasn't going to work for everything I was attempting to authenticate, I'd probably leave it out. Here's why:
That's the way I'm leaning now.
1. If you plan to use SSL certificate-based authentication as well as encryption, then you're getting one of the big advantages Kerberos has over LDAP - mutual client-server authentication.
How does Kerberos do it mutually? And even if it does do it mutually if the server is compromised what does that authentication really do for you? Or is for some other reason?
2. Administrative overhead will likely be a killer. I see independently maintained LDAP containers and Kerberos zones, and therefore group memberships, in your future (or the future of the unlucky person forced to admin this setup).
I'm going to be stuck administering this and I'm reasonably adept at Perl so I could easily throw together some tools to mitigate the administrative overhead, but if there's nothing I'm getting for the trouble I'd obviously rather skip it.
Maybe somebody on the list is aware of a slick package for Linux that integrates LDAP and Kerberos which would save the day, but otherwise I think you'd be doing a lot of extra work for maybe not so much security gain.
That's what I was thinking, but with a Kerberos fan involved in the project I thought I should check out some other perspectives.
Does anyone have any experiences with doing LDAP and Kerberos together?Everybody who has deployed Microsoft Active Directory, only many of them don't know it. :)
Help from NT admins. [shiver] ;) -- </chris>There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- LDAP and Kerberos? Christopher Hicks (Sep 17)
- <Possible follow-ups>
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- Re: LDAP and Kerberos? ArkanoiD (Sep 22)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- Re: LDAP and Kerberos? Mason Schmitt (Sep 27)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)