f



Kerberos vs. LDAP for authentication -- any opinions?

At the risk of starting a religious war....

We currently use Kerberos for authentication for almost everything
on our network.  Some people here are advocating switching to using
LDAP for authentication (we already have a pretty well developed LDAP
infrastructure).  This would of course require everyone to change
their password as well the trauma of recoding applications that
currently use Kerberos and haven't been converted to using PAM.

Anyone have any pointers to information about the relative merits
of using Kerberos or LDAP for authentication in a large heterogeneous
environment?

Any info is, of course, greatly appreciated.

- C

--
Email:  cyberp70@yahoo.com
0
cyberp70 (1)
1/28/2004 3:32:46 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

10 Replies
660 Views

Similar Articles

[PageSpeed] 21

LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames
and passwords which is accessible over the network.  Your users
must then transmit said usernames and passwords across the network
to a potentially compromised machine in order for them to be validated
against the copies stored in LDAP.

To me this approach is unacceptable.


cyberp70@yahoo.com wrote:
> At the risk of starting a religious war....
> 
> We currently use Kerberos for authentication for almost everything
> on our network.  Some people here are advocating switching to using
> LDAP for authentication (we already have a pretty well developed LDAP
> infrastructure).  This would of course require everyone to change
> their password as well the trauma of recoding applications that
> currently use Kerberos and haven't been converted to using PAM.
> 
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
> 
> Any info is, of course, greatly appreciated.
> 
> - C
> 
> --
> Email:  cyberp70@yahoo.com
0
jaltman2 (417)
1/28/2004 4:19:29 PM
cyberp70 <cyberp70@yahoo.com> writes:

> We currently use Kerberos for authentication for almost everything on
> our network.  Some people here are advocating switching to using LDAP
> for authentication (we already have a pretty well developed LDAP
> infrastructure).  This would of course require everyone to change their
> password as well the trauma of recoding applications that currently use
> Kerberos and haven't been converted to using PAM.

LDAP "authentication" is actually nothing more or less than using your
LDAP directory servers as a giant distributed /etc/shadow file.  You can
put the password checking in various places, but in the end you're
basically taking a step backwards towards something more like the
historical Unix authentication mechanism.

This means you lose all of the benefits of Kerberos (reusable credentials,
passwords never crossing the network encrypted or not, ticket forwarding,
etc.) in favor of something that's basically secure NIS.  If secure NIS is
something you're happy with, hey, great, but to me it feels like 1980s
security technology, long-since obsolete.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
0
rra9 (667)
1/29/2004 3:20:07 AM
On 28 Jan 2004 07:32:46 -0800 cyberp70@yahoo.com wrote:
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?

I think other responses are missing the bigger picture.

You are almost certainly (I'd bet on it) not using Kerberos
authentication as $DEITY intended, ie obtaining a TGT on your local
(trusted) host then using that to get service tickets for
applications.

If you were, replacing it with LDAP would be out of the question, as
you'd lose SSO.

If that's the case, you're better off using LDAP.  You need LDAP
anyway, you said you have an established LDAP infrastructure, and it's
harder to do krb5 authentication correctly than LDAP.  Of course,
there's work involved in setting up LDAP well, but if you are using
LDAP at all, you have to do that anyway.  Better to only maintain less
infrastructure.

Ideally, you'd use real Kerberos authentication for your applications
and just use LDAP for authorization.  That's a far superior method;
see the Kerberos FAQ.

And SASL/GSSAPI has no bearing; if you're using GSSAPI you're using krb5
(for authentication).

/fc
0
fcusack (296)
1/29/2004 5:40:10 AM

cyberp70@yahoo.com wrote:
> 
> At the risk of starting a religious war....
> 
> We currently use Kerberos for authentication for almost everything
> on our network.  Some people here are advocating switching to using
> LDAP for authentication (we already have a pretty well developed LDAP
> infrastructure).  This would of course require everyone to change
> their password as well the trauma of recoding applications that
> currently use Kerberos and haven't been converted to using PAM.

What is the real situation. 

  Are these people application developers  who find it easier to just
  ask for a user and password then call LDAP?

  Are they looking at the lack of Kerberos in the browser, and so
  find the easiest way is to just prompt for a user and password?

  Are they application developers who want additional authorization data
  which is store in LDAP which Kerberos can not provide?

Many of the Browser issues can be addressed by Kx509 from the 
Univrsity of Michigan. It can obtain a short term X509 certificate 
using Kerberos for authenticaiton. The certificate and key are then
stored so the browser can use it with SSL to any web server. It works
with IE and Netscape on Windows. It runs on UNIX and Mac as well. 
  http://www.citi.umich.edu/projects/kerb_pki/
 
Once authenticated, LDAP can still be used for authorization data.



> 
> Anyone have any pointers to information about the relative merits
> of using Kerberos or LDAP for authentication in a large heterogeneous
> environment?
> 
> Any info is, of course, greatly appreciated.
> 
> - C
> 
> --
> Email:  cyberp70@yahoo.com
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
deengert (574)
1/29/2004 3:15:00 PM
Jeffrey Altman <jaltman2@nyc.rr.com> writes:

[...]
> usernames and passwords across the network to a potentially
> compromised machine in order for them to be validated against the
> copies stored in LDAP.
[...]

And what prevents a Kerberos server from being compromised? Any
system can have a root-kit installed on it.

-- 
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well 
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
0
1/29/2004 11:58:08 PM
In article <86y8rqpasv.fsf@number6.magda.ca>,
David Magda  <dmagda+trace040127@ee.ryerson.ca> wrote:

>And what prevents a Kerberos server from being compromised? Any
>system can have a root-kit installed on it.

The fact that nobody has access to it (assuming it was competently
installed).

-GAWollman

-- 
Garrett A. Wollman   | As the Constitution endures, persons in every
wollman@lcs.mit.edu  | generation can invoke its principles in their own
Opinions not those of| search for greater freedom.
MIT, LCS, CRS, or NSA| - A. Kennedy, Lawrence v. Texas, 539 U.S. ___ (2003)
0
wollman (8)
1/30/2004 2:41:00 AM
David Magda wrote:
>
> And what prevents a Kerberos server from being compromised? Any
> system can have a root-kit installed on it.

Simple.  You don't run any other services on your KDC.
All access is via physical connections.  Small network footprint
results in extremely low chance of hacking.


0
jaltman2 (417)
1/30/2004 3:56:40 AM
>>>>> "David" == David Magda <dmagda+trace040127@ee.ryerson.ca> writes:


    David> And what prevents a Kerberos server from being compromised?
    David> Any system can have a root-kit installed on it.

The issue is that in the Kerberos model, compromising a mail server or
web server etc doesn't get you much, but in the LDAP model it gets you
passwords.  The Kerberos server itself is still an interesting target
in many Kerberos deployments.

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
hartmans (370)
1/30/2004 11:08:38 PM
It is much easier to protect one (or a few) Kerberos server then it is
to protect all servers.

In our situation we have security people running the Kerberos server
and we are paranoid about how it is maintained. Generic servers on the
otherhand can be (and are) run by all sorts of people, many who have
little security clue.

			-Jeff

On Thu, Jan 29, 2004 at 06:58:08PM -0500, David Magda wrote:
> Jeffrey Altman <jaltman2@nyc.rr.com> writes:
> 
> [...]
> > usernames and passwords across the network to a potentially
> > compromised machine in order for them to be validated against the
> > copies stored in LDAP.
> [...]
> 
> And what prevents a Kerberos server from being compromised? Any
> system can have a root-kit installed on it.
> 
> -- 
> David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
> Because the innovator has for enemies all those who have done well under
> the old conditions, and lukewarm defenders in those who may do well 
> under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
jis (2)
1/30/2004 11:22:46 PM
Frank Cusack wrote:

> Ideally, you'd use real Kerberos authentication for your applications
> and just use LDAP for authorization.  That's a far superior method;
> see the Kerberos FAQ.

That's what i ended up with! I'm currently implementing that at work.
Authentication via Kerberkos and authorization via LDAP. Glued together 
with a half done PAM-Module (still in development and heavily depending 
on heimdal utilities reverse engineering).

> And SASL/GSSAPI has no bearing; if you're using GSSAPI you're using krb5
> (for authentication).

> /fc
0
poedi1 (4)
2/12/2004 8:10:44 PM
Reply:

Similar Artilces:

RE: Kerberos vs. LDAP for authentication -- any opinions?
Normally, it is not allowed client user to modify password, but LDAP server login admin user will be able to do it. Actually, LDAP server is an authentication service provider. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Harry Le Sent: Wednesday, January 28, 2004 2:30 PM To: kerberos@mit.edu Subject: RE: Kerberos vs. LDAP for authentication -- any opinions? Not entirely true. Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos V5 credentials to authenticate users against LDAP directories. This will not require users to change passwords. For data privacy, use SSL. Joseph -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Jeffrey Altman Sent: Wednesday, January 28, 2004 11:19 AM To: kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? LDAP is not an authentication infrastructure. All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network. Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP. To me this approach is unacceptable. cyberp70@yahoo.com wrote: > At the risk of starting a religious war.... > > We currently use Kerberos for authentication for almost everything on > our network. Some ...

RE: Kerberos vs. LDAP for authentication -- any opinions? #3
Peter, Thankyou for the explanation. I was trying to keep my answer relatively simple to avoid any unnecessary technical detail and hence over complicate the answer to the original question asked. Anyway, Kerberos is useful for more than just SSO (or SSSO) when comparing with LDAP, this is why I provided a long list of differences in my email. In fact LDAP and Kerberos are complimentary and not competitive technologies. Thanks, Tim. -----Original Message----- From: Peter Gietz [mailto:peter.gietz@daasi.de] Sent: 29 January 2004 16:58 To: Tim Alsop Cc: Harry Le; kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? Tim, Your view on LDAP may be a little too simplified. There is a whole variety of authentication mechanisms that you can use within LDAP, userdn/cleartext password (=simple bind) being only the most useless and unrecommended by the standards. The minimal recomendation is to use that simple bind within a TLS encrypted session, but there are other mechanisms in LDAP implementations which all use the SASL framewrk. The IMHO most important SASL mechanism are: - DIGEST MD5 a challenge response mechanism, where the actual password will not be sent through the net. This is also mandatory to implement in standard conforming LDAP - GSSAPI using the Kerberos 5 mechanism, which was allready mentioned in this thread, and is implemented in at least some LDAP implementations, like OpenLDAP. Any other SASL mechanisms could also be used,...

RE: Kerberos vs. LDAP for authentication -- any opinions? #2
Harry, others, The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited. I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user. I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ? LDAP server for user authentication - can be used to store password + other information about users. - useful for simple user authentication requirements where checking of password is all that is required. Kerberos for user authentication - uses security credentials which have a lifetime - LDAP does not have this capability - built in prevention from network replay attacks and protect against other network security concerns - LDAP does not protect against these issues - removes the need to pass any form of password across a network - LDAP requires password transmission - A protocol that alows support for userid/password, token card, smart card au...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

kerberos vs ldap
Can anyone explain to me whats the relation between LDAP vs Kerberos -- View this message in context: http://www.nabble.com/kerberos-vs-ldap-tp16254166p16254166.html Sent from the Kerberos - General mailing list archive at Nabble.com. ...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

Authentication with Kerberos & LDAP
Hello, I'm looking for material written about authenticating users in an LDAP directory with Kerberos. I would for example want to log into serveral servers via say SSH with an account present in an LDAP directory, and have this be authenticated with Kerberos. I've seen some half finished documents about this, mostly in linux environments, but nothings really good. Much appreciated if someone could point me in a direction. /Paul ...

replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end
Hi all Since we are migrating from Debian to RedHat, we are considering replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT Kerberos server (again with LDAP back-end) since RedHat packages are only available for MIT Kerberos. In order to make this migration/upgrade as transparent as possible for our users, we want to convert all the necessary info in the Heimdal back-end to the MIT back-end. Are there any pointers available for this kind of operation? E.g. things like conversion tables mapping the corresponding Kerberos-specific LDAP attributes? Or even scripts? I'm especially looking at the Kerberos key attributes, i.e. - Heimdal: krb5Key - MIT: krbPrincipalKey Is it possible to convert the former into the latter? Is there any code available for this operation? If not, we would have to require all our users to change their passwords at the same time, which is not very feasible. Thanks in advance Bart ...

How to make LDAP data needed for Kerberos authentication
Hi, When I use the style of combination with Kerberos and OpenLDAP, I try to write java-codes with Novell LDAP Classes for Java to entry LDAP data needed for Kerberos authentication. Please tell me how to make LDAP data needed for Kerberos authentication or pointer (URL, Document, etc) to information for this purpose. Regards, --Shigeru -- Shigeru Ishida <ishida_shigeru@webgen.co.jp> INTEC Web and Genome Informatics Corporation. ISL BLDG 2F, 3-23 Shimoshin Town, Toyama City, Toyama., Japan, 930-0804 Web Site: www.webgen.co.jp ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos A list of useful links is here; http://swik.net/kerberos+LDAP+Java Shigeru Ishida wrote: > Hi, > > When I use the style of combination with Kerberos and OpenLDAP, > I try to write java-codes with Novell LDAP Classes for Java to > entry LDAP data needed for Kerberos authentication. > > Please tell me how to make LDAP data needed for Kerberos > authentication or pointer (URL, Document, etc) to information > for this purpose. > > Regards, > > --Shigeru > > -- > Shigeru Ishida <ishida_shigeru@webgen.co.jp> > INTEC Web and Genome Informatics Corporation. > ISL BLDG 2F, 3-23 Shimoshin Town, > Toyama City, Toyama., Japan, 930-0804 > Web Site: www.webgen.co.jp > > ________________________________________________ > Kerberos mail...

Authenticate user with Kerberos & LDAP-backend
Hi All There is a Ldap server which store many user serving the authentication in my company. Now, I set up a Kerberos server to implement single-sign-on mechanism, after that I see some idea about Kerberos and LDAP backend. It is great, I deploy it successfully on test server. But now, there is a thing I confuse: After using the LDAP-backend, can I use Kerberos to authenticate some services (SSH for example), LDAP to authenticate others services (FTP, HTTP, ... for example), and all attributes of user (cn,userPassword,... for example) to other usage, but user can change password by kpasswd tool ? Have anyone experienced this situation ? Please give me some idea and how to implement it. Thank you, Hung Ta ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Having been down this road, I can tell the you with complete confidence that... it depends. If the LDAP server is Active Directory, you can use LDAP or AD for authentication, and they'll both work with the same password. If you're using OpenLDAP and MIT Kerberos, it's a bit more of a problem, since you essentially end up with two sets of passwords, which is not pretty. If you're using PAM for everything, it's easier to get everything to use that instead. That way, you get SSO where applications support it, and where the don't, they still use the Kerberos back end via PAM. I did this for email, whe...

Open LDAP VS Kerberos : help needed
Hi, I now know that we can make kerberos use openldap as its data store backend, but only with heimdal as our kdc, not mit kerberos. I have read somewhere that with openldap you can add krb5Principal object class and krb5principalName attribute to your users to allow them to use credentials they get from kerberos to bind to the tree and change stuff. In such a case would the kerberos db and the open ldap db be seperate? Can we have a setup like this in which both the kerberos db and openldap db are diffrent but we bind to the openldap tree using kerberos credential? Any help to clarify my concepts in this regard would be appreciated. Anshuman Hazarika Mobile 9821434383 Vipassana can change u'r life. Do give it a try. www.dhamma.org � __________________________________________________________ Sent from Yahoo! Mail. A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html ...

Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type
Colleagues, What could be the reason that I cannot telnet from FreeBSD to Solaris 10 with the following error: Connected to oracle.sibptus.tomsk.ru. Escape character is '^]'. [ Trying mutual KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] [ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ] [ Trying KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] [ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ] Password: Kerberized telnet and ssh work fine between FreeBSD systems, but Solaris is a problem. The kdc is Heimdal running on FreeBSD. The keytab for the host principal was exported on FreeBSD and then transferred to Solaris and imported there. Thank you in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ I believe that solaris (as as solaris 9) only supports des-cbc-crc encrypion. Hope that helps, Steven --- Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote: > Colleagues, > > What could be the reason that I cannot telnet from > FreeBSD to Solaris 10 > with the following error: > > Connected to oracle.sibptus.tomsk.ru. > Escape character is '^]'. > [ Trying mutual KERBEROS5 > (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] > [ Kerberos V5 refuses authentication because > Kerberos checksum verification failed: Ba...

LDAP bind() versus Kerberos authentication (performance perspective)
Anyone have any information about the relative merits ( w.r.t performance ) of using Kerberos authentication instead of LDAP bind() for authentication in a large environment ? (around 30 authns per second) thanks, Nagendra ...

Storing MIT-Kerberos authentication data in an LDAP backend
Klaus Kiwi has written about storing MIT-Kerberos authenticaion data in an LDAP backend (one LDAP implementation is IBM Tivoli Directory Server). The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is a relatively new feature, introduced in MIT-Kerberos 1.6, available in RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server 11. You can read about it at: http://www.ratliff.net/blog/2009/04/29/kerberos_and_itds On 2009-05-04, bjacobson@us.ibm.com <mr.zeus1@gmail.com> wrote: > The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is > a relatively new feature, introduced in MIT-Kerberos 1.6, available in > RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server > 11. It's not really available in RHEL5.2 (or 5.3-latest either).. The v1.6 MIT-Kerberos is there, but the ldap plugin isn't provided, so one will have to rebuild the packages to get it (and probably every time Red Hat decides to upgrade the krb5 packages). But, Klaus's BluePrint looks great! I hope to use it to set up the same against Red Hat's own directory server instead of ITDS. -jf ...

Storing MIT-Kerberos authentication data in an LDAP backend
Klaus Kiwi has written about storing MIT-Kerberos authenticaion data in an LDAP backend (one LDAP implementation is IBM Tivoli Directory Server). The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is a relatively new feature, introduced in MIT-Kerberos 1.6, available in RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server 11. You can read about it at: http://www.ratliff.net/blog/2009/04/29/kerberos_and_itds ...

Storing MIT-Kerberos authentication data in an LDAP backend
Klaus Kiwi has written about storing MIT-Kerberos authenticaion data in an LDAP backend (one LDAP implementation is IBM Tivoli Directory Server). The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is a relatively new feature, introduced in MIT-Kerberos 1.6, available in RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server 11. You can read about it at: http://www.ratliff.net/blog/2009/04/29/kerberos_and_itds ...

KERBEROS with LDAP
Hi all, I'm experiencing some problem between authentication and authorization through Kerberos and LDAP. This is my situation: I can authenticate on LDAP through the option -Y GSSAPI after having obtained a valid TGT from the KDC. I have some questions: Is it possible to authenticate via Kerberos on LDAP without obtaining prior a ticket (i.e. when i have to authenticate to the LDAP i want that username/password was asked and then these username/password allow to obtain the ticket from Kerberos). I'm asking this because i want that this new mechanism be invisible from a user point of view. Are there some solution to this problem or I need to implement by myself a customized client that communicate with kerberos and then with the ticket to LDAP^??? Another question is about how to map authentication to authorization in LDAP. The example found was very simple with a flat LDAP, I'm in an hard situation, with an extremely non-regular LDAP tree, how to find the correct mapping to the correct identity??? Thanks in advance, Andrea ...

Kerberos + LDAP How-To
Thanks much to all of you for your responses. Much of what I wanted to do is actually answered more in depth on-line.... took me a long time to find good documentation on it. http://ofb.net/~jheiss/krbldap/howto.html Seems to be the best docs i've seen to date on the kerberos ldap link up. Just thought I'd share that. -Matt Joyce. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Matt" == Matt Joyce <syslists@vtsystems.com> writes: Matt> Thanks much to all of you for your responses. Much of what Matt> I wanted to do is actually answered more in depth Matt> on-line.... took me a long time to find good documentation Matt> on it. Matt> http://ofb.net/~jheiss/krbldap/howto.html Matt> Seems to be the best docs i've seen to date on the kerberos Matt> ldap link up. Just thought I'd share that. And I naturaly would like to take the chanse of promoting http://www.bayour.com/LDAPv3-HOWTO.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Matt, why do you use SSL and put extra load on the client/server if you already use Kerberos ? SASL/GSSAPI does authentication AND encryption !! Cyrus-sasl may show only a SSF of 56, but this is only because is hardcoded in cyrus, ...

PIX 7.2 VPN with kerberos / ldap authentication and authorization
anyone ever did this configuration with a ver 7.2 ?; i can make it work :? what i am trying to do is: vpn users from windows xp; connecting to pix through L2TP and authenticating to the active directory servers in the inside interface. On Wed, 23 Aug 2006 05:09:32 -0700, XaBi wrote: > anyone ever did this configuration with a ver 7.2 ?; i can make it work > :? > > what i am trying to do is: > > vpn users from windows xp; connecting to pix through L2TP and > authenticating to the active directory servers in the inside interface. First, look here - http://www.cisc...

Firefox vs IE Cross Realm Kerberos SSO Authentication
Hello List, I have found an inconsistency between IE and Firefox with respect to Keberos cross realm authentication. I have two Windows domains W.NET and B.W.NET. If I setup SSO on a Linux web server lws.b.w.net and create the HTTP service account in the B.W.NET realm all works fine with both FF and IE. However, if I create the HTTP service in the parent domain W.NET, IE can sucessfully perform SSO whereas FF cannot. >From looking at a capture of the failure I see the following: C: KRB5 TGS-REQ for HTTP/lws.b.w.net S: KRB5 TGS-REP with krbtgt/W.NET C: DNS SRV query for _kerberos-master._udp.B.W.NET S: DNS No such name Can anyone explain this behavior and tell me if it is consistent with what is supposed to happen? Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Authenticating to Kerberos
Hi, I've had a quick look but cannot find a module that will let me authenticate against Kerberos. There appears to be a krb5 module that hasn't been updated for a long time and I can't find much on it except the pages at starship.python.net. I don't need to do anything except authenticate and gain the correct credentials. Are there any modules that I could use to authenticate against Kerberos (perhaps there is another module will do just the auth, e.g. for LDAP?). Cheers. David wrote: > I don't need to do anything except authenticate and gain the correct > cred...

kerberos and LDAP.
hi :), Can someone list me the kerberos servers that store the principal information in the directory. we want to integrate the user info in ldap with the authentication info of kerberos. Is there any kerberos server and ldap server with this kind of a support? thanks you in advance. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Medha" == Medha B <ban_medha@yahoo.com> writes: Medha> hi :), Can someone list me the kerberos servers that store Medha> the principal information in the directory. we want to Medha> integrate the user info in ldap with the authentication Medha> info of kerberos. Is there any kerberos server and ldap Medha> server with this kind of a support? thanks you in advance. http://www.bayour.com/LDAPv3-HOWTO.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Hello medha, The latest verision on HP-UX Kerberos server 3.1, will have the necessary support to store Kerberos principals in the LDAP directory. The product will be available soon on http://software.hp.com. Please let me know if you have any further queries w.r.t ...

is that common to use kerberos authentication for SUN iplanet LDAP server?
Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is that is it pretty easy to enable Kerberos for SUN LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? Thanks a lot in advance ! P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal however I kinda think it's an overkill since I don't really need to protect all the LDAP transactions except for the password part... -Kent ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kent Wu wrote: > > So my question is that is it pretty easy to enable Kerberos > for SUN LDAP after installing SEAM? Or can SUN LDAP use other > KDC a...

Kerberos and LDAP
Hi, Im still trying to get this to work. Server: Debian Etch (3 hostnames=lookout, ldap and kerberos, ip=192.168.212.15) Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93) I have followed the following guides: http://techpubs.spinlocksolutions.com/dklar/kerberos.html http://techpubs.spinlocksolutions.com/dklar/ldap.html Created my own user "ronni" the same way as the user "mirko" is. >From my workstation I can do: kinit ronni ldapsearch -x which both work. ldapsearch -x gives this output: # extended LDIF # # LDAPv3 # base <dc=one,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # one.com dn: dc=one,dc=com objectClass: top objectClass: dcObject objectClass: organization o: one.com dc: one # admin, one.com dn: cn=admin,dc=one,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # People, one.com dn: ou=People,dc=one,dc=com ou: People objectClass: organizationalUnit # Group, one.com dn: ou=Group,dc=one,dc=com ou: Group objectClass: organizationalUnit # ronni, group, one.com dn: cn=ronni,ou=group,dc=one,dc=com cn: ronni gidNumber: 20000 objectClass: top objectClass: posixGroup # ronni, people, one.com dn: uid=ronni,ou=people,dc=one,dc=com uid: ronni uidNumber: 20000 gidNumber: 20000 cn: Ronni sn: Ronni objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /...

Web resources about - Kerberos vs. LDAP for authentication -- any opinions? - comp.protocols.kerberos

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

New Tools to Optimize App Authentication
At f8, we announced a redesigned Auth Dialog and a new authentication flow to give developers more control over people’s first experience with ...

Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks
... sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


Sony Authentication Power Outlet Recognizes Users and Devices #DigInfo - YouTube
Sony Authentication Power Outlet Recognizes Users and Devices DigInfo TV - http://diginfo.tv 9/3/2012 NFC & Smart WORLD 2012 Sony Authentication ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Online account security: lazy authentication is still the norm
Even in the high-tech world of 2016, crims will be able to side-step your account security by making a phone call and saying they're you.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

ATO boosts service access via app and voice authentication
The ATO has announced it will extend its voice authentication system to its mobile app

Resources last updated: 3/10/2016 11:12:53 PM