Patrick Brewer wrote:
So what are the downsides to using LDAP for authentication?
source: http://www.cites.uiuc.edu/roadmaps/authentication/whitepaper.html#ldap
LDAP authentication refers to using what's called a "bind operation" within the LDAP protocol. The password is passed from the user's client to the application that supports LDAP authentication, and then that application attempts to bind to an LDAP server as that user. If the bind succeeds, the password is verified. Note that even if the password is transmitted from the user's client to the application, and then transmitted from the application to the LDAP server, over encrypted channels, the password is still available to the application in cleartext between coming from the client and being passed on to the LDAP server. Thus LDAP authentication has the weakness that any application using that form of authentication has access to the cleartext password of any user attempting to access the application. A compromise of the application or the server upon which it runs could expose users’ passwords. LDAP authentication therefore presents an additional set of security challenges that have yet to be worked out. This provides a good argument for choosing either WebISO or Kerberos where feasible, with the WebISO approach in particular strongly preferred for web browser-based authentication.
-- Trying to figure out what to do with big heavy and retired Sun servers in the Raleigh area? Drop me a note. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
