Quoting Nicolas Williams <[EMAIL PROTECTED]>: > On Sun, Jan 08, 2006 at 01:04:08PM +0100, Turbo Fredriksson wrote: >> The LDAP server is nowhere NEAR as important. If they crack that, >> all they'll get is ... what, nothing basically? > > Depends on who's relying on the LDAP server and for what. > > If important systems are using LDAP for user information like, say, UID, > group memberships, and so on, well, then your LDAP server is practically > as important as your KDC (losing a KDC would still be worse, primarily > because re-keying an entire realm is painful).
Exactly, that was what I was assuming. _I_ use it with my mail system _as well_, but not everyone/that many (?) use it that way. So _my_ LDAP server is 'almost' more important than the KDC. I don't have that many users (<50), and I know them in person, so recreating a KDC wouldn't be THAT much job for me. But recreating the LDAP database with all information would be 'almost impossible'. But if the LDAP server is 'only' used for authorization (uid/gid/home etc); which most users use it as when using Kerberos (?) then it's _just slightly_ less important than the KDC.. In such a case, recreating the LDAP server can be scripted but recreating a KDC would be a SERIOUS pain. So as I see it, LDAP and Kerberos (should) have the same weight regarding security... ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
