RE: Kerberos vs. LDAP for authentication -- any opinions?
Normally, it is not allowed client user to modify password, but LDAP server login admin user will be able to do it. Actually, LDAP server is an authentication service provider. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Harry Le Sent: Wednesday, January 28, 2004 2:30 PM To: kerberos@mit.edu Subject: RE: Kerberos vs. LDAP for authentication -- any opinions? Not entirely true. Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos V5 credentials to authenticate users against LDAP directories. This will not require users to change passwords. For data privacy, use SSL. Joseph -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Jeffrey Altman Sent: Wednesday, January 28, 2004 11:19 AM To: kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? LDAP is not an authentication infrastructure. All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network. Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP. To me this approach is unacceptable. cyberp70@yahoo.com wrote: > At the risk of starting a religious war.... > > We currently use Kerberos for authentication for almost everything on > our network. Some ...

RE: Kerberos vs. LDAP for authentication -- any opinions? #3
Peter, Thankyou for the explanation. I was trying to keep my answer relatively simple to avoid any unnecessary technical detail and hence over complicate the answer to the original question asked. Anyway, Kerberos is useful for more than just SSO (or SSSO) when comparing with LDAP, this is why I provided a long list of differences in my email. In fact LDAP and Kerberos are complimentary and not competitive technologies. Thanks, Tim. -----Original Message----- From: Peter Gietz [mailto:peter.gietz@daasi.de] Sent: 29 January 2004 16:58 To: Tim Alsop Cc: Harry Le; kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? Tim, Your view on LDAP may be a little too simplified. There is a whole variety of authentication mechanisms that you can use within LDAP, userdn/cleartext password (=simple bind) being only the most useless and unrecommended by the standards. The minimal recomendation is to use that simple bind within a TLS encrypted session, but there are other mechanisms in LDAP implementations which all use the SASL framewrk. The IMHO most important SASL mechanism are: - DIGEST MD5 a challenge response mechanism, where the actual password will not be sent through the net. This is also mandatory to implement in standard conforming LDAP - GSSAPI using the Kerberos 5 mechanism, which was allready mentioned in this thread, and is implemented in at least some LDAP implementations, like OpenLDAP. Any other SASL mechanisms could also be used,...

RE: Kerberos vs. LDAP for authentication -- any opinions? #2
Harry, others, The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited. I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user. I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ? LDAP server for user authentication - can be used to store password + other information about users. - useful for simple user authentication requirements where checking of password is all that is required. Kerberos for user authentication - uses security credentials which have a lifetime - LDAP does not have this capability - built in prevention from network replay attacks and protect against other network security concerns - LDAP does not protect against these issues - removes the need to pass any form of password across a network - LDAP requires password transmission - A protocol that alows support for userid/password, token card, smart card au...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

kerberos vs ldap
Can anyone explain to me whats the relation between LDAP vs Kerberos -- View this message in context: http://www.nabble.com/kerberos-vs-ldap-tp16254166p16254166.html Sent from the Kerberos - General mailing list archive at Nabble.com. ...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

Authentication with Kerberos & LDAP
Hello, I'm looking for material written about authenticating users in an LDAP directory with Kerberos. I would for example want to log into serveral servers via say SSH with an account present in an LDAP directory, and have this be authenticated with Kerberos. I've seen some half finished documents about this, mostly in linux environments, but nothings really good. Much appreciated if someone could point me in a direction. /Paul ...

replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end
Hi all Since we are migrating from Debian to RedHat, we are considering replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT Kerberos server (again with LDAP back-end) since RedHat packages are only available for MIT Kerberos. In order to make this migration/upgrade as transparent as possible for our users, we want to convert all the necessary info in the Heimdal back-end to the MIT back-end. Are there any pointers available for this kind of operation? E.g. things like conversion tables mapping the corresponding Kerberos-specific LDAP attributes? Or even scripts? I'm especially looking at the Kerberos key attributes, i.e. - Heimdal: krb5Key - MIT: krbPrincipalKey Is it possible to convert the former into the latter? Is there any code available for this operation? If not, we would have to require all our users to change their passwords at the same time, which is not very feasible. Thanks in advance Bart ...

How to make LDAP data needed for Kerberos authentication
Hi, When I use the style of combination with Kerberos and OpenLDAP, I try to write java-codes with Novell LDAP Classes for Java to entry LDAP data needed for Kerberos authentication. Please tell me how to make LDAP data needed for Kerberos authentication or pointer (URL, Document, etc) to information for this purpose. Regards, --Shigeru -- Shigeru Ishida <ishida_shigeru@webgen.co.jp> INTEC Web and Genome Informatics Corporation. ISL BLDG 2F, 3-23 Shimoshin Town, Toyama City, Toyama., Japan, 930-0804 Web Site: www.webgen.co.jp ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos A list of useful links is here; http://swik.net/kerberos+LDAP+Java Shigeru Ishida wrote: > Hi, > > When I use the style of combination with Kerberos and OpenLDAP, > I try to write java-codes with Novell LDAP Classes for Java to > entry LDAP data needed for Kerberos authentication. > > Please tell me how to make LDAP data needed for Kerberos > authentication or pointer (URL, Document, etc) to information > for this purpose. > > Regards, > > --Shigeru > > -- > Shigeru Ishida <ishida_shigeru@webgen.co.jp> > INTEC Web and Genome Informatics Corporation. > ISL BLDG 2F, 3-23 Shimoshin Town, > Toyama City, Toyama., Japan, 930-0804 > Web Site: www.webgen.co.jp > > ________________________________________________ > Kerberos mail...

Authenticate user with Kerberos & LDAP-backend
Hi All There is a Ldap server which store many user serving the authentication in my company. Now, I set up a Kerberos server to implement single-sign-on mechanism, after that I see some idea about Kerberos and LDAP backend. It is great, I deploy it successfully on test server. But now, there is a thing I confuse: After using the LDAP-backend, can I use Kerberos to authenticate some services (SSH for example), LDAP to authenticate others services (FTP, HTTP, ... for example), and all attributes of user (cn,userPassword,... for example) to other usage, but user can change password by kpasswd tool ? Have anyone experienced this situation ? Please give me some idea and how to implement it. Thank you, Hung Ta ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Having been down this road, I can tell the you with complete confidence that... it depends. If the LDAP server is Active Directory, you can use LDAP or AD for authentication, and they'll both work with the same password. If you're using OpenLDAP and MIT Kerberos, it's a bit more of a problem, since you essentially end up with two sets of passwords, which is not pretty. If you're using PAM for everything, it's easier to get everything to use that instead. That way, you get SSO where applications support it, and where the don't, they still use the Kerberos back end via PAM. I did this for email, whe...

Open LDAP VS Kerberos : help needed
Hi, I now know that we can make kerberos use openldap as its data store backend, but only with heimdal as our kdc, not mit kerberos. I have read somewhere that with openldap you can add krb5Principal object class and krb5principalName attribute to your users to allow them to use credentials they get from kerberos to bind to the tree and change stuff. In such a case would the kerberos db and the open ldap db be seperate? Can we have a setup like this in which both the kerberos db and openldap db are diffrent but we bind to the openldap tree using kerberos credential? Any help to clarify my concepts in this regard would be appreciated. Anshuman Hazarika Mobile 9821434383 Vipassana can change u'r life. Do give it a try. www.dhamma.org � __________________________________________________________ Sent from Yahoo! Mail. A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html ...

Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type
Colleagues, What could be the reason that I cannot telnet from FreeBSD to Solaris 10 with the following error: Connected to oracle.sibptus.tomsk.ru. Escape character is '^]'. [ Trying mutual KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] [ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ] [ Trying KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] [ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ] Password: Kerberized telnet and ssh work fine between FreeBSD systems, but Solaris is a problem. The kdc is Heimdal running on FreeBSD. The keytab for the host principal was exported on FreeBSD and then transferred to Solaris and imported there. Thank you in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ I believe that solaris (as as solaris 9) only supports des-cbc-crc encrypion. Hope that helps, Steven --- Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote: > Colleagues, > > What could be the reason that I cannot telnet from > FreeBSD to Solaris 10 > with the following error: > > Connected to oracle.sibptus.tomsk.ru. > Escape character is '^]'. > [ Trying mutual KERBEROS5 > (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] > [ Kerberos V5 refuses authentication because > Kerberos checksum verification failed: Ba...

LDAP bind() versus Kerberos authentication (performance perspective)
Anyone have any information about the relative merits ( w.r.t performance ) of using Kerberos authentication instead of LDAP bind() for authentication in a large environment ? (around 30 authns per second) thanks, Nagendra ...

Storing MIT-Kerberos authentication data in an LDAP backend
Klaus Kiwi has written about storing MIT-Kerberos authenticaion data in an LDAP backend (one LDAP implementation is IBM Tivoli Directory Server). The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is a relatively new feature, introduced in MIT-Kerberos 1.6, available in RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server 11. You can read about it at: http://www.ratliff.net/blog/2009/04/29/kerberos_and_itds On 2009-05-04, bjacobson@us.ibm.com <mr.zeus1@gmail.com> wrote: > The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is > a relatively new feature, introduced in MIT-Kerberos 1.6, available in > RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server > 11. It's not really available in RHEL5.2 (or 5.3-latest either).. The v1.6 MIT-Kerberos is there, but the ldap plugin isn't provided, so one will have to rebuild the packages to get it (and probably every time Red Hat decides to upgrade the krb5 packages). But, Klaus's BluePrint looks great! I hope to use it to set up the same against Red Hat's own directory server instead of ITDS. -jf ...

Storing MIT-Kerberos authentication data in an LDAP backend
Klaus Kiwi has written about storing MIT-Kerberos authenticaion data in an LDAP backend (one LDAP implementation is IBM Tivoli Directory Server). The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is a relatively new feature, introduced in MIT-Kerberos 1.6, available in RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server 11. You can read about it at: http://www.ratliff.net/blog/2009/04/29/kerberos_and_itds ...

Storing MIT-Kerberos authentication data in an LDAP backend
Klaus Kiwi has written about storing MIT-Kerberos authenticaion data in an LDAP backend (one LDAP implementation is IBM Tivoli Directory Server). The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is a relatively new feature, introduced in MIT-Kerberos 1.6, available in RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server 11. You can read about it at: http://www.ratliff.net/blog/2009/04/29/kerberos_and_itds ...

KERBEROS with LDAP
Hi all, I'm experiencing some problem between authentication and authorization through Kerberos and LDAP. This is my situation: I can authenticate on LDAP through the option -Y GSSAPI after having obtained a valid TGT from the KDC. I have some questions: Is it possible to authenticate via Kerberos on LDAP without obtaining prior a ticket (i.e. when i have to authenticate to the LDAP i want that username/password was asked and then these username/password allow to obtain the ticket from Kerberos). I'm asking this because i want that this new mechanism be invisible from a user point of view. Are there some solution to this problem or I need to implement by myself a customized client that communicate with kerberos and then with the ticket to LDAP^??? Another question is about how to map authentication to authorization in LDAP. The example found was very simple with a flat LDAP, I'm in an hard situation, with an extremely non-regular LDAP tree, how to find the correct mapping to the correct identity??? Thanks in advance, Andrea ...

Kerberos + LDAP How-To
Thanks much to all of you for your responses. Much of what I wanted to do is actually answered more in depth on-line.... took me a long time to find good documentation on it. http://ofb.net/~jheiss/krbldap/howto.html Seems to be the best docs i've seen to date on the kerberos ldap link up. Just thought I'd share that. -Matt Joyce. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Matt" == Matt Joyce <syslists@vtsystems.com> writes: Matt> Thanks much to all of you for your responses. Much of what Matt> I wanted to do is actually answered more in depth Matt> on-line.... took me a long time to find good documentation Matt> on it. Matt> http://ofb.net/~jheiss/krbldap/howto.html Matt> Seems to be the best docs i've seen to date on the kerberos Matt> ldap link up. Just thought I'd share that. And I naturaly would like to take the chanse of promoting http://www.bayour.com/LDAPv3-HOWTO.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Matt, why do you use SSL and put extra load on the client/server if you already use Kerberos ? SASL/GSSAPI does authentication AND encryption !! Cyrus-sasl may show only a SSF of 56, but this is only because is hardcoded in cyrus, ...

PIX 7.2 VPN with kerberos / ldap authentication and authorization
anyone ever did this configuration with a ver 7.2 ?; i can make it work :? what i am trying to do is: vpn users from windows xp; connecting to pix through L2TP and authenticating to the active directory servers in the inside interface. On Wed, 23 Aug 2006 05:09:32 -0700, XaBi wrote: > anyone ever did this configuration with a ver 7.2 ?; i can make it work > :? > > what i am trying to do is: > > vpn users from windows xp; connecting to pix through L2TP and > authenticating to the active directory servers in the inside interface. First, look here - http://www.cisc...

Firefox vs IE Cross Realm Kerberos SSO Authentication
Hello List, I have found an inconsistency between IE and Firefox with respect to Keberos cross realm authentication. I have two Windows domains W.NET and B.W.NET. If I setup SSO on a Linux web server lws.b.w.net and create the HTTP service account in the B.W.NET realm all works fine with both FF and IE. However, if I create the HTTP service in the parent domain W.NET, IE can sucessfully perform SSO whereas FF cannot. >From looking at a capture of the failure I see the following: C: KRB5 TGS-REQ for HTTP/lws.b.w.net S: KRB5 TGS-REP with krbtgt/W.NET C: DNS SRV query for _kerberos-master._udp.B.W.NET S: DNS No such name Can anyone explain this behavior and tell me if it is consistent with what is supposed to happen? Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Authenticating to Kerberos
Hi, I've had a quick look but cannot find a module that will let me authenticate against Kerberos. There appears to be a krb5 module that hasn't been updated for a long time and I can't find much on it except the pages at starship.python.net. I don't need to do anything except authenticate and gain the correct credentials. Are there any modules that I could use to authenticate against Kerberos (perhaps there is another module will do just the auth, e.g. for LDAP?). Cheers. David wrote: > I don't need to do anything except authenticate and gain the correct > cred...

kerberos and LDAP.
hi :), Can someone list me the kerberos servers that store the principal information in the directory. we want to integrate the user info in ldap with the authentication info of kerberos. Is there any kerberos server and ldap server with this kind of a support? thanks you in advance. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Medha" == Medha B <ban_medha@yahoo.com> writes: Medha> hi :), Can someone list me the kerberos servers that store Medha> the principal information in the directory. we want to Medha> integrate the user info in ldap with the authentication Medha> info of kerberos. Is there any kerberos server and ldap Medha> server with this kind of a support? thanks you in advance. http://www.bayour.com/LDAPv3-HOWTO.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Hello medha, The latest verision on HP-UX Kerberos server 3.1, will have the necessary support to store Kerberos principals in the LDAP directory. The product will be available soon on http://software.hp.com. Please let me know if you have any further queries w.r.t ...

is that common to use kerberos authentication for SUN iplanet LDAP server?
Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is that is it pretty easy to enable Kerberos for SUN LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? Thanks a lot in advance ! P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal however I kinda think it's an overkill since I don't really need to protect all the LDAP transactions except for the password part... -Kent ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kent Wu wrote: > > So my question is that is it pretty easy to enable Kerberos > for SUN LDAP after installing SEAM? Or can SUN LDAP use other > KDC a...

Kerberos and LDAP
Hi, Im still trying to get this to work. Server: Debian Etch (3 hostnames=lookout, ldap and kerberos, ip=192.168.212.15) Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93) I have followed the following guides: http://techpubs.spinlocksolutions.com/dklar/kerberos.html http://techpubs.spinlocksolutions.com/dklar/ldap.html Created my own user "ronni" the same way as the user "mirko" is. >From my workstation I can do: kinit ronni ldapsearch -x which both work. ldapsearch -x gives this output: # extended LDIF # # LDAPv3 # base <dc=one,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # one.com dn: dc=one,dc=com objectClass: top objectClass: dcObject objectClass: organization o: one.com dc: one # admin, one.com dn: cn=admin,dc=one,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # People, one.com dn: ou=People,dc=one,dc=com ou: People objectClass: organizationalUnit # Group, one.com dn: ou=Group,dc=one,dc=com ou: Group objectClass: organizationalUnit # ronni, group, one.com dn: cn=ronni,ou=group,dc=one,dc=com cn: ronni gidNumber: 20000 objectClass: top objectClass: posixGroup # ronni, people, one.com dn: uid=ronni,ou=people,dc=one,dc=com uid: ronni uidNumber: 20000 gidNumber: 20000 cn: Ronni sn: Ronni objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /...