Harry, others, The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited.
I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user. I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ? LDAP server for user authentication - can be used to store password + other information about users. - useful for simple user authentication requirements where checking of password is all that is required. Kerberos for user authentication - uses security credentials which have a lifetime - LDAP does not have this capability - built in prevention from network replay attacks and protect against other network security concerns - LDAP does not protect against these issues - removes the need to pass any form of password across a network - LDAP requires password transmission - A protocol that alows support for userid/password, token card, smart card authentication and other forms of user authentication - LDAP is only suited to userid/password - works well in a client/server and multi-tier environment especially when using credential delegation or impersonation - can be used to setup a security context between application components on the network - LDAP cannot be used for this. - provide mutual authentication, integrity, confidentiality services - LDAP does not do any of these - makes single signon easy, especially since Microsoft Active Directory does the Kerberos authentication when a user logs onto a MS network - works well in a heterogeneous environment - supported and utilised by a growing number of application vendors and standards - a strategic protocol in many ways because of having many uses - it can even be used very effectively to allow an unattended application to authenticate itself to another application (e.g. ftp -> ftpd). Thanks, Tim. -----Original Message----- From: Harry Le [mailto:[EMAIL PROTECTED] Sent: 28 January 2004 19:30 To: [EMAIL PROTECTED] Subject: RE: Kerberos vs. LDAP for authentication -- any opinions? Not entirely true. Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos V5 credentials to authenticate users against LDAP directories. This will not require users to change passwords. For data privacy, use SSL. Joseph -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Altman Sent: Wednesday, January 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? LDAP is not an authentication infrastructure. All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network. Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP. To me this approach is unacceptable. [EMAIL PROTECTED] wrote: > At the risk of starting a religious war.... > > We currently use Kerberos for authentication for almost everything on > our network. Some people here are advocating switching to using LDAP > for authentication (we already have a pretty well developed LDAP > infrastructure). This would of course require everyone to change > their password as well the trauma of recoding applications that > currently use Kerberos and haven't been converted to using PAM. > > Anyone have any pointers to information about the relative merits of > using Kerberos or LDAP for authentication in a large heterogeneous > environment? > > Any info is, of course, greatly appreciated. > > - C > > -- > Email: [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos