Authentication and Authorization are handled through kerberos between Windows machines. There are some goofy linux folks out there using LDAP for auth though[1].
LDAP is a communication protocol for information lookup and to update the directory, it isn't an authentication protocol but that doesn't stop people from trying to use it for authentication. Microsoft, being the hugely insecure organization that they are chose to use an actual authentication protocol for their auth/authorization needs. Authentication is the process of proving within some shadow of a doubt you are you. In default windows this is done by knowing something secret that the domain also knows, your password. You basically prove you are you by telling the DC who you are and confirming you can decode something encrypted with your password hash. You never send a password to the DC during the auth process. LDAP simple auth and various secure LDAP auths on the other hand do send the password or a representation of the password. Authorization is simply the DC saying now that I know you are you, here is what I think you can get access to, that is sent back in a kerb ticket (for *most* domain groups). joe [1] Just trying to rile you goofy Linux folks. Just bite the bullet and buy Centrify. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, March 23, 2005 10:55 AM To: [email protected] Subject: RE: [ActiveDir] LDAPS part 2 I am mainly thinking about communications with Exchange. Other than that, I am not really sure what applications or other communications are actually using LDAP. For instance, when someone logs onto a machine, what is happening? I have thought that everything was taken care of by Kerberos, but not totally sure that that is all that is happening. I mean, isn't group membership and junk like that using LDAP? Is this the case: Authorization uses LDAP in plain text Authentication uses Kerberos If so, exactly what makes up the authorization component (username, groups)? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, March 23, 2005 9:03 AM To: [email protected] Subject: RE: [ActiveDir] LDAPS part 2 Which LDAP traffic are you thinking of? Typically LDAP traffic is passed by an application/client for the purpose of either white pages type lookup or for identification and authentication. LDAP authentication, by it's nature is unsecure. It passes credentials in the clear on the wire. Did you have some other communication in mind? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, March 22, 2005 11:15 PM To: [email protected] Subject: [ActiveDir] LDAPS part 2 I am feeling lost right now. Without LDAP over SSL enabled, does AD pass LDAP traffic around in plain text? If so, exactly what information would that be (that is being passed in clear text)? I have been wondering if I should implement a CA and LDAP over SSL, but I guess I don't know all the implications. If anyone knows of a good document, that should suffice. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
