[Gllug] LDAP and Kerberos
Dani Pardo
dani at enplater.com
Tue Jan 31 15:03:02 UTC 2006
En/na Simon Morris wrote:
>
> LDAP is a data storage mechanism and can also do authentication with
> services authenticating users by taking their password and trying to
> "bind" against the LDAP server as that user.
>
[..]
>
> Kerberos is an authentication mechanism that involves "trusted
> principles".. that is that all the members of the kerberos realm trust
> these servers (In AD this is a domain controller). The generic name for
> these trusted servers is "Key Distribution Centre"
[..]
> So - having logged into the network you now have a TGT to present to
> other services running "kerberised" services. These services could be
> SMTP, IMAP, SMB etc.
Mm.. sounds like pam, but over the network and controlled via a
central "brain" and based on tickets. Cool.
I've readen that this protocol was written on the 80's, the v2 and v3
were bloated, and v4 had security flaws. So v5 should be considered
*the* kerberos. What surprises me is.. does it really has been Microsoft
the first to make a *broad deployment* of Kerberos with AD? Or I've been
living under a rock?
I mean, I have the impression that has always been here, and now it's
not as easy as adding pam-kerberos to /etc/pam.d/* and "Voila! Single
sign on and cental authentication!". Or is there any project going into
that direction?
--
Dani Pardo, dani at enplater.com
Enplater S.A
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list