ServersLDAP and Kerberos, So Happy Together

LDAP and Kerberos, So Happy Together




Juliet Kemp

LDAP (Lightweight Directory Access Protocol) is basically a way of
organizing information and providing access to it. It’s commonly used
for user, service and machine information, and it’s incredibly useful. The
Linux version is OpenLDAP. It will
handle authentication as well as information (so the password aspect of login
as well as looking up who the user is, where his home directory is, and so
on). However, it’s not as secure as it could be — by default connections are
unencrypted, so your password is being sent out in the open.

Recent Tips
» kill
» PuTTY and Xming
» DBAN

Read All Tips of the Trade

Tip of the Trade: LDAP organizes information and provides access to it. Kerberos is designed to handle authentication. Separate they are useful; together they offer a powerful and secure solution.

Previously, you could deal with this using SSL tunneling, but that has
been deprecated since the retirement of LDAPv2 (in 2003). TLS is another
option, but even using that, LDAP still has security problems.

For security, your best option is Kerberos. Kerberos is specifically designed to handle authentication. It will not do the information lookup that LDAP does. It avoids
password security problems and enables single-sign-on (a very useful feature!).

So the ideal situation is to use both Kerberos and LDAP: one for
authentication and one for information organization and access. In fact, they
do play quite nicely together, but information about on how to achieve this is limited. If you do want to set them up, check out this two-part article I wrote
(requires
registration but is free) a while back which is still relevant. You can
also get more information from the LDAP and Kerberos web pages.

Latest Posts

Related Stories