LDAP, SSO and Kerberos (was Re: [Gllug] LDAP)

Alex Hudson home at alexhudson.com
Wed Sep 26 11:44:31 UTC 2001


On Wednesday 26 September 2001 11:47, you wrote:
> Hang on, I've never said that you don't need Kerberos for SSO; all
> I've said is that for simple authentication you _don't_ need
> Kerberos --- a password will do.

No, I agree completely. I was just trying to clarify what I said - I didn't 
mean to infer that Kerberos was needed/useful for anything other than SSO.

> boxes have to try and take part in _our_ domain. Since you appear to
> know what you're talking about, how easy is it to get a W2000 machine
> to authenticate against an OpenLDAP server using MIT Kerberos?

You can't, not fully, because of the Microsoft extensions. Unfortunately, in 
this case, Microsoft were probably fully within their rights to do what they 
did, because Kerberos doesn't support everything that they needed. Kerberos 
only does single sign-on - i.e., authentication. There is no standard for 
distributed authorization yet, which is what Microsoft have built into Win2k. 
It's pretty cool actually - NT & 2k have always been miles ahead of Unix in 
terms of security infrastructure unfortunately :(

> > That's the way it works on UNIX too, don't forget.
>
> *shrugs* Depends on whether you're using Kerberos :))

True ;) I was thinking more in the canonical sense ;)

> Okay, point taken. I still trust my internal network while I'm testing
> this stuff, though, and I still have a measure of security --- unless
> someone decrypts my password they can only log on to those facilities
> on the network that offer access via an MD5'd password sent over the
> LAN.

Fair enough. I don't see why you're bothering to MD5 them, though ;P

Cheers,

Alex.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list