28

Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment?

And

Can we switch between them transparently?

Ijaz Ahmad
  • 1,592
  • 1
  • 11
  • 20
  • In what context are you looking to use Kerberos/LDAP auth? Is it for a web app, client app, etc.? – user2320464 Jan 02 '16 at 21:51
  • Authenticating client computers over a domain , for different services and resources access – Ijaz Ahmad Jan 02 '16 at 22:04
  • Kerberos is more secure because it prevents [lateral escalation](http://security.stackexchange.com/questions/130562/why-do-i-need-kerberos-when-i-could-just-use-a-username-and-password-to-access-s/130662#130662) – paj28 Jul 28 '16 at 05:30

2 Answers2

30

Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment?

LDAP authentication is centralized authentication, meaning you have to login with every service, but if you change your password it changes everywhere.

Kerberos is single sign-on (SSO), meaning you login once and get a token and don't need to login to other services.

There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.

There's no right answer. If you need SSO use Kerberos. Else LDAP. You could also consider YP/NIS (over IPSEC) for centralized authn.

The fact that the OpenBSD security hawks dropped Kerberos but make their own LDAP server might tell you something...

Can we switch between them transparently?

No, you cannot. Well, maybe you can with PAM. But your users will notice

Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • I know that these are two protocols for interacting with some directory services such as MS AD. But which one is more secure and complete, is the question. – Ijaz Ahmad Jan 02 '16 at 18:32
  • 2
    Ldap is simpler so probably more secure technologically but kerberos is more convenient so probably more secure behaviorally. There's no right answer. If you need SSO use kerberos. Else ldap – Neil McGuigan Jan 02 '16 at 18:39
  • "The fact that the OpenBSD security hawks dropped Kerberos" Can you elaborate on that and cite it? – Antony Stubbs Aug 04 '17 at 14:30
  • 1
    @AntonyStubbs Heimdal Kerberos is still available for OpenBSD, but they removed it from base. It's now a package. Theo de Raadt said kerberos (+openssl) was "like two dung-beetles #$%^&*(" – Neil McGuigan Aug 04 '17 at 17:48
22

Where possible use Kerberos authentication above all else. It was built for providing authentication/authorization and is the most secure option. The whole premise is to exchange credentials in an environment that isn't trusted.

LDAP can be easily misconfigured to send credentials in clear text over the network. An easy way to prevent this is always use LDAPS (TCP636) as it encapsulates all traffic in SSL. LDAP is often used for adhoc authentication/authorization especially web applications using forms authentication.

user2320464
  • 1,802
  • 1
  • 15
  • 18
  • Kerberos was not designed to provide authorization. It is an authentication system. Hence, it should be used as an authentication system alone. – e.doroskevic Mar 24 '20 at 19:09