On Mon, Sep 15, 2008 at 9:43 PM, Howard Chu<hyc@symas.com> wrote:That's a pretty empty statement. "More secure than LDAP" creates the false implication that there is something inherently insecure about LDAP storage. In fact anything stored in LDAP is as secure as you choose to make it. And of course, there are plenty of sites out there running Kerberos using LDAP as the data store of their KDC.
Using LDAP as the data store for your KDC reduces its' security.
To call such a statement empty and FUDly is pretty rude - it's fact.
Utter nonsense. You're spouting FUD, and that's the fact.
LDAP is a directory, it's designed for tracking information about things. It can store secrets, but it isn't designed, like Kerberos, to carefully control access to secrets. If your Kerberos secrets are stored in LDAP, you are losing some of what Kerberos gives you.