[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
KerberLDAP (Re: openbsd yp security)
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: KerberLDAP (Re: openbsd yp security)
- From: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>
- Date: Fri, 31 Jan 2003 02:07:35 -0500
- Mail-followup-to: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>, misc_(_at_)_openbsd_(_dot_)_org
- Reply-to: misc_(_at_)_openbsd_(_dot_)_org
Quoting dreamwvr_(_at_)_dreamwvr_(_dot_)_com (dreamwvr_(_at_)_dreamwvr_(_dot_)_com):
> Great thread! Speaking of alternately. Anyone doing kerberos
> with LDAP? Just curious and inquiring mind and all that.
I've actually muttered "Kerberos" to Kurt Zeilenga to be
a pest and he jumped in agreement. LDAP is a DIRECTORY
protocol, not an authentication protocol.
The way we authenticate is to take the username/password
and bind to the LDAP server with those. If it works
the username/password pair worked.
So this means that you want to bind to the LDAP server
over a secure connection. I've used pocket networks and
clear text [pocket network: a very private network on another
interface - often a slave LDAP server that's dedicated to that
chunk of infrastructure (email for me)].
Given that my boxes often had a long term relationship with
the LDAP server(s), IPSEC can make sense. The sort of worse
case is the most common case of LDAP/SSL. Very expensive and
LDAP servers don't benefit too much from rainbow cards for
these very short lived connections. Cleartext is not an
acceptable option ever. YP is even better than that <shudder>.
Back to point: Kerberos is hard for many sites. Its setup is
documented pretty poorly and there aren't really good GUI
tools for the average system admin in 2003. K developers I
knew have offered that basically once you set it up, you don't
really want to go back and make tools to make that setup better
because your done. This, I think, has been the biggest reason
that 14 years after Kerberos came about it's still not in
Kerberos requires machines be in a known/trusted realm.
Not too successful when you're at an Internet Kiosk in
Kerberos also doesn't quite work right for several apps I've
dealt with. What jumps to mind first is Web Mail. PROPERLY,
you'd have your Kerberos ticket, your browser would pass the
that to the web server and you'd be logged in through that.
(this also requires that you be on a "known" computer and part
of the server's realm). Realistically, people type their
username/password over the net (with SSL we hope). The
application passes that information to the IMAP server. The
IMAP server that supports Kerberos usually takes username/password
and try to get a kerberos ticket - if it works, then it lets
you get mail. This is not the kerberos model.
So you might as well use LDAP for authentication. You're not
really giving anything up.