[31933] in Kerberos
Re: Kerberos & LDAP
daemon@ATHENA.MIT.EDU (Jaap Winius)
Mon Jan 18 14:59:21 2010
From: Jaap Winius <jwinius@umrk.nl>
MIME-Version: 1.0
Date: 17 Jan 2010 03:53:28 GMT
Message-ID: <4b5289b8$0$6931$e4fe514c@dreader25.news.xs4all.nl>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sat, 16 Jan 2010 08:56:22 -0500, Jason Edgecombe wrote:
> Prasad (普拉萨德) wrote:>> I am ok that we normally use the Kerberos to keep the password and LDAP>> is just for authorization. But then if my DNS Goes down, then no one>> can login to the system because Kerberos is highly dependent on the DNS>> and NTP. Thats why I am thinking of having the username and password in>> LDAP too. ...
Although I believe it's possible to configure PAM on client systems to authenticate to Kerberos first and LDAP second, it would be a useless configuration.
That's because the only reason to add Kerberos support to LDAP is to make the authentication more secure, as well as to add encryption. However, if you also want to use LDAP authentication as a backup, then anyone attacking your system will simply ignore your Kerberos stuff and go straight to cracking your weaker LDAP security.
If you're so worried about your Kerberos or DNS service availability, nothing is keeping you from installing Kerberos and DNS services, as well as OpenLDAP, on each of your physical servers. Furthermore, so much depends on DNS that without it you're basically dead in the water anyway. The only sensible solution is just to make sure you always have redundancy for all of your critical services.
>> ... And for that I am looking somthing so that I can sync>> OpenLDAP and Kerberos username and password.
I seriously doubt that this exists, since it would be a pointless exercise to set up a really secure system to store all of your passwords in (Kerberos), only to compromise that by replicating them regularly to a system that is much less secure.
> If you use IP addresses in your kerberos and NTP files, then you're less> dependent on DNS.
Another exercise in futility, because if they all use IP addresses instead if DNS names and the DNS service goes down, the servers might still be able to find each other, but what about all the clients? Or, are you suggesting that it's also better to go through the trouble of configuring all of your clients with fixed IP addresses instead of DNS names, just to avoid being dependent on DNS? Unless your system is very small, the whole reason we use stuff like DNS and DHCP is because it makes client configuration and maintenance so much easier. Yes, that can create single points of failure, but that's why we always maintain redundant systems. Yes, redundant systems mean more cost and complexity, but otherwise we have more trouble sleeping at night.
Cheers,
Jaap________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
