RE: [fw-wiz] LDAP and Kerberos?

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 09/20/04

  • Next message: Christopher Hicks: "RE: [fw-wiz] LDAP and Kerberos?" 
    To: "Christopher Hicks" <chicks@chicks.net>, "Firewall Wizards Mailing List" <firewall-wizards@honor.icsalabs.com>
Date: Mon, 20 Sep 2004 09:59:39 -0400

    > -----Original Message-----
    > We've been having a discussion here recently about priorities for
    > deploying LDAP authentication across a few Linux boxen and
    > associated web
    > applications spread from coast to coast. One of the folks
    > involved is a
    > fan of Kerberos and feels that in addition to the
    > already-agreed-upon LDAP
    > over SSL that we should have Kerberos handle the
    > authentication to give
    > single sign-on capabilities. This sounds nice in theory, but
    > I'm wary to
    > slow down moving to LDAP authentication. The web apps don't support
    > Kerberos so we know we're going to authenticate those across LDAP.

    I'm not sure you've given enough information about your back end
    architecture to say for sure, but if it were mine to do, knowing that
    Kerberos wasn't going to work for everything I was attempting to
    authenticate, I'd probably leave it out. Here's why:

    1. If you plan to use SSL certificate-based authentication as well as
    encryption, then you're getting one of the big advantages Kerberos has
    over LDAP - mutual client-server authentication.

    2. Administrative overhead will likely be a killer. I see independently
    maintained LDAP containers and Kerberos zones, and therefore group
    memberships, in your future (or the future of the unlucky person forced
    to admin this setup).

    Maybe somebody on the list is aware of a slick package for Linux that
    integrates LDAP and Kerberos which would save the day, but otherwise I
    think you'd be doing a lot of extra work for maybe not so much security
    gain.

    > Does anyone have any experiences with doing LDAP and Kerberos
    > together?

    Everybody who has deployed Microsoft Active Directory, only many of them
    don't know it. :)

    PaulM
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Christopher Hicks: "RE: [fw-wiz] LDAP and Kerberos?"

    Relevant Pages

    • Re: Kerberos Confusion / Design Questions
      ... > I'm planning on deploying Sun-Kerberos with LDAP I have a few design ... > server via gssapi-keyex SSO and other servers can log back into my ... > that is puzzling me is how to handle Kerberos access, ... > authentication will basically be provided through LDAP at this point ...
      (comp.protocols.kerberos)
    • LDAP + Kerberos = Bloody Nightmare!
      ... Kerberos, and want to stick with as much in the way of Debian-packaged ... Getting LDAP and Kerberos to work hasn't been ... use LDAP for authentication, but very little on getting LDAP to allow ... bind anonymously, bind via TLS and SSL, execute queries, and so on. ...
      (Debian-User)
    • LDAP + Kerberos = Bloody Nightmare!
      ... Kerberos, and want to stick with as much in the way of Debian-packaged ... Getting LDAP and Kerberos to work hasn't been ... use LDAP for authentication, but very little on getting LDAP to allow ... bind anonymously, bind via TLS and SSL, execute queries, and so on. ...
      (Debian-User)
    • Re: LDAP or Kerberos or am I all mixed up.
      ... LDAP paper that I found on IBM's site. ... authentication is done separately: ... The PACS web server will ... >> to see if they support LDAP or kerberos login. ...
      (RedHat)
    • Re: Need some tips on kerberizing our ENTIRE network
      ... When you ask about nagios support are you asking about authentication to the nagios interface or monitoring a KDC? ... was looking into using an ldap directory. ... and we should be considering the use of kerberos ...
      (comp.protocols.kerberos)