RE: [fw-wiz] LDAP and Kerberos?
From: Christopher Hicks (chicks_at_chicks.net)
Date: 09/20/04
- Previous message: Melson, Paul: "RE: [fw-wiz] LDAP and Kerberos?"
- In reply to: Melson, Paul: "RE: [fw-wiz] LDAP and Kerberos?"
- Next in thread: Melson, Paul: "RE: [fw-wiz] LDAP and Kerberos?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Melson, Paul" <PMelson@sequoianet.com> Date: Mon, 20 Sep 2004 10:09:22 -0400 (EDT)
On Mon, 20 Sep 2004, Melson, Paul wrote:
> I'm not sure you've given enough information about your back end
> architecture to say for sure,
I'm not sure what else to say about the architecture. I'll be happy to
answer any questions though.
> but if it were mine to do, knowing that Kerberos wasn't going to work
> for everything I was attempting to authenticate, I'd probably leave it
> out. Here's why:
That's the way I'm leaning now.
> 1. If you plan to use SSL certificate-based authentication as well as
> encryption, then you're getting one of the big advantages Kerberos has
> over LDAP - mutual client-server authentication.
How does Kerberos do it mutually? And even if it does do it mutually if
the server is compromised what does that authentication really do for you?
Or is for some other reason?
> 2. Administrative overhead will likely be a killer. I see independently
> maintained LDAP containers and Kerberos zones, and therefore group
> memberships, in your future (or the future of the unlucky person forced
> to admin this setup).
I'm going to be stuck administering this and I'm reasonably adept at Perl
so I could easily throw together some tools to mitigate the administrative
overhead, but if there's nothing I'm getting for the trouble I'd obviously
rather skip it.
> Maybe somebody on the list is aware of a slick package for Linux that
> integrates LDAP and Kerberos which would save the day, but otherwise I
> think you'd be doing a lot of extra work for maybe not so much security
> gain.
That's what I was thinking, but with a Kerberos fan involved in the
project I thought I should check out some other perspectives.
>> Does anyone have any experiences with doing LDAP and Kerberos
>> together?
>
> Everybody who has deployed Microsoft Active Directory, only many of them
> don't know it. :)
Help from NT admins. [shiver] ;)
--
</chris>
There are two ways of constructing a software design. One way is to make
it so simple that there are obviously no deficiencies. And the other way
is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Melson, Paul: "RE: [fw-wiz] LDAP and Kerberos?"
- In reply to: Melson, Paul: "RE: [fw-wiz] LDAP and Kerberos?"
- Next in thread: Melson, Paul: "RE: [fw-wiz] LDAP and Kerberos?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
