> Thanks for the reply. The point you mention above though is >not a very good one - by choosing Kerberos itself, one is exposing oneself >to a single point of security failure - the KDC. So if one has already >accepted that risk, then the directory is not an increased exposure - >particularly if one goes the DCE integrated login server route where there >is no centralized single point of failure (unlike LDAP).
There are two issues here and I think you may be confusing them. The first is the issue of availability: it makes sense to make both the authorization and authentication services highly available. Both the KDC and LDAP service may be replicated, and some algorithm used by the client in order to select a replica. Indeed, one advantage of an integrated KDC and LDAP server is that directory servers often have optimised replication protocols, and thus one gets replication of Kerberos principal data "for free". The second is the concern oft expressed on this mailing list that a directory server is more likely to be compromised than a KDC, because it is storing general purpose directory information. As such, the argument goes, the exposure risk is greater if Kerberos keys are stored in the directory. I would posit that it's actually more secure to have a single repository for such information and to take whatever steps necessary to secure it, as administration becomes more or less atomic. Indeed, given the current tendency towards storing cleartext passwords in directories in order to support digest SASL mechanisms, I'd prefer a good string2key algorithm any day :-) -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
