[Gllug] LDAP and Kerberos

Simon Morris simon.morris at cmtww.com
Tue Jan 31 13:13:07 UTC 2006 

Dani Pardo wrote:
>         Hi, Kerberos has always been a little mistery for me and I'm sure
> people in the list will clarify me a few issues.
>         Basically, I've used LDAP to store users/groups etc.. I can 
> integrate
> LDAP with Unix/Linux with pam-ldap.
>         I can also integrate with samba with samba's ldap backend. When 
> adding
> the samba layer to support windows users, the accounts get some LDAP
> attributes added (i.e sambaSID).
>         I can also use ssl to transport the LDAP queries and responses, 
> right?
>         The question is.. where Kerberos fits in all this stuff? Why 
> should I
> need it?
>         Its said that the Active Directory is a kind of LDAP directory 
> with a
> Kerberos mutation :). Shouldn't the LDAP part be enough? I don't get the
> point :)

I'm ready to take any corrections on the description below. :-)

LDAP is a data storage mechanism and can also do authentication with 
services authenticating users by taking their password and trying to 
"bind" against the LDAP server as that user.

(There are other ways to authenticate against LDAP... for example 
comparing the password stored in LDAP with the users supplied password 
but obviously sending the password (even in it's hashed format) needs to 
be avoided when possible)

Kerberos is an authentication mechanism that involves "trusted 
principles".. that is that all the members of the kerberos realm trust 
these servers (In AD this is a domain controller). The generic name for 
these trusted servers is "Key Distribution Centre"

Using Kerberos rather than plain LDAP authentication has benefits 
including encryption of data between client and server(s) and also 
anti-replay methods.

When the client logs into the Kerberos realm it contacts the KDC (Key 
distribution centre) machine and passes it's network password to the 
server. If the password is successfully checked that client is given a 
ticket by the KDC. This is ticket is only valid for a certain number of 
hours and is used to logon to other services (possibly on other 
servers). The ticket is known as a ticket granting ticket (TGT)

So - having logged into the network you now have a TGT to present to 
other services running "kerberised" services. These services could be 
SMTP, IMAP, SMB etc.

When you connect to a kerberized service you first approach the KDC and 
you say "Hey I am me..." *presents KDC with TGT* "... and I'd like to 
use the IMAP service on imap.somedomain.com"

The KDC then issues you with a correct ticket for that service on that 
host. The ticket can be decrypted by that server only 
(imap.somedomain.com) but it is given to you to present.

When you go to that server now you can pass the ticket (an AT 
(Authentication Ticket) and the server can decrypt it.. see it is from 
the KDC and know that you are a genuine user. If the KDC trusts you... 
and the IMAP server trusts the KDC... then the IMAP server is happy to 
trust you

The main idea is that you can use your TGT for.. say 10 hours and never 
have to pass your password around after the inital logon....

*pauses for breath*

~sm
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list