[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is Openldap a Authorization or Authentication system?



joe wrote:
Standard Windows Active Directory AuthN/AuthZ isn't LDAP. It is Kerberos (and
NTLM). It uses the LDAP Directory in the backend for its database to store
credentials and group mapping as well as any other relevant data for the users
and other objects as LDAP/DAP Directories were intended to be used.

While LDAP protocol can be used for authentication, Kerberos is the expected
to be the safer authentication mechanism as no passwords are transferred in
the requests as they are with LDAP authentication. When you log on with
Windows to Active Directory, a Kerberos authentication occurs and the ticket
is then passed with any/all LDAP requests after that to access data in AD, or
on other servers.
That's quite a mischaracterization, as "LDAP authentication" isn't just any 
one particular mechanism. E.g., you can authenticate to LDAP using Kerberos 
tickets as well, using SASL/GSSAPI.
And while Kerberos is only an authentication mechanism, it is not the only 
authentication mechanism that exists. E.g., you can achieve analogous 
functionality using X.509 certificates.
That being said, some applications (generally *NIX apps) will authenticate to
Active Directory with LDAP. If this is done, the Domain Controllers should
have PKI certs on them and LDAPS or TLS should be used to secure the LDAP
traffic otherwise the passwords are going across the network in clear
text.Better is to use Kerberos which is possible via the open source kerb
packages as well as there are several third party vendors now producing
products to do it properly (and easily) including Dell (via Vintela/Quest
product), Centrify, and BeyondTrust.
Again, a clear misunderstanding of the underlying technologies. Kerberos as 
used in LDAP also provides for securing of traffic, you don't need TLS if you 
have GSSAPI. And vice versa, TLS can be used both for the actual 
authentication step (using X.509 certs, as noted above) as well as for 
securing the traffic.
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/