[clug-talk] Browsing a Linux network
Gustin Johnson
gustin at echostar.ca
Wed Jun 27 01:08:15 PDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, LDAP just stores and retrieves data, Kerberos is a secure
authentication mechanism (a way of passing credentials securely between
machines on an unsecure network). They were designed to solve different
problems.
Ian Bruseker wrote:
> On 6/26/07, Gustin Johnson <gustin at echostar.ca> wrote:
>> Actually Active Directory uses Kerberos to do the actual
>> authenticating. LDAP is a part of the picture but it is not itself
>> an authentication mechanism. Complicated stuff, but there is more
>> than one way to do it.
>>
> Complicated indeed. :-) So, a little googling brought up some
> articles talking about how both Kerberos and LDAP can be used for
> authentication. But you don't need both? Microsoft just has both to
> be difficult? I've found info on PAM modules for both. The first
You don't "need" both, but combined they make for a powerful solution.
Microsoft made some very valid design choices with AD by using LDAP, DNS
and Kerberos in combination. That is the short short version.
> article on setting up Kerberos that I read ragged on LDAP for not
> being as secure, but then if I understand correctly, LDAP can do more
> for you, so, ya, complicated. :-)
This is why Microsoft chose to use both for different tasks. LDAP can
be made more secure with SSL/TLS, but Kerberos is a very elegant
solution to the security issue while retaining the flexibility of an
LDAP directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGghrvwRXgH3rKGfMRAs33AJ9pwc+K/6uH5b60dSqhWIEv4mmQQwCfWkDv
C/QWh8f00Zp0d2bgkl05ud8=
=U2lk
-----END PGP SIGNATURE-----
More information about the clug-talk
mailing list