[19292] in Kerberos
Re: NEWBIE Question: Kerberos and LDAP
daemon@ATHENA.MIT.EDU (Brian Davidson)
Wed May 21 19:00:02 2003
Date: Wed, 21 May 2003 18:56:08 -0400
From: Brian Davidson <bdavids1@gmu.edu>
In-reply-to: <7180000.1053549753@oberon.linfield.edu>
To: kerberos@mit.edu
Message-id: <68FF4E80-8BDF-11D7-95C9-000393CCB774@gmu.edu>
MIME-version: 1.0
Content-type: text/plain; charset=US-ASCII; format=flowed
Content-transfer-encoding: 7BIT
Errors-To: kerberos-bounces@mit.edu
I would suggest looking to do the opposite of what you're talking
about.. Kerberos was designed to be a very secure authentication
system, while LDAP was not designed to be an authentication system
(which is not to say that it won't work, but that wasn't the driving
motivation behind it). Depending on the LDAP server, you can probably
set it up to authenticate against a Kerberos realm.
Some applications only use "LDAP Authentication", and won't do
Kerberos, so you are then able to still use them (if they don't
authenticate over SSL, I would recommend picking a different app
though, as plain text passwords over the network suck).
On UNIX systems, you can use nsswitch to use LDAP for authorization and
Kerberos for authentication (I'm assuming you're familiar with the
difference between authentication and authorization). Even Microsoft
supports authenticating against a non-microsoft realm (although to get
real functionality you still need a mostly empty Microsoft KDC that
trusts your real realm).
Brian Davidson
George Mason University
On Wednesday, May 21, 2003, at 04:42 PM, Rob Tanner wrote:
> Hi,
>
> I'm an absolute newbie to kerberos trying to see how to fir it into our
> network and existing authentication schemes. Currently, LDAP
> represents
> the backend store for all passwords and users are authenticated against
> the LDAP server.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
