On 28 Jan 2004 07:32:46 -0800 [EMAIL PROTECTED] wrote: > Anyone have any pointers to information about the relative merits > of using Kerberos or LDAP for authentication in a large heterogeneous > environment?
I think other responses are missing the bigger picture. You are almost certainly (I'd bet on it) not using Kerberos authentication as $DEITY intended, ie obtaining a TGT on your local (trusted) host then using that to get service tickets for applications. If you were, replacing it with LDAP would be out of the question, as you'd lose SSO. If that's the case, you're better off using LDAP. You need LDAP anyway, you said you have an established LDAP infrastructure, and it's harder to do krb5 authentication correctly than LDAP. Of course, there's work involved in setting up LDAP well, but if you are using LDAP at all, you have to do that anyway. Better to only maintain less infrastructure. Ideally, you'd use real Kerberos authentication for your applications and just use LDAP for authorization. That's a far superior method; see the Kerberos FAQ. And SASL/GSSAPI has no bearing; if you're using GSSAPI you're using krb5 (for authentication). /fc ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
