-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, LDAP just stores and retrieves data, Kerberos is a secure authentication mechanism (a way of passing credentials securely between machines on an unsecure network). They were designed to solve different problems.
Ian Bruseker wrote: > On 6/26/07, Gustin Johnson <[EMAIL PROTECTED]> wrote: >> Actually Active Directory uses Kerberos to do the actual >> authenticating. LDAP is a part of the picture but it is not itself >> an authentication mechanism. Complicated stuff, but there is more >> than one way to do it. >> > Complicated indeed. :-) So, a little googling brought up some > articles talking about how both Kerberos and LDAP can be used for > authentication. But you don't need both? Microsoft just has both to > be difficult? I've found info on PAM modules for both. The first You don't "need" both, but combined they make for a powerful solution. Microsoft made some very valid design choices with AD by using LDAP, DNS and Kerberos in combination. That is the short short version. > article on setting up Kerberos that I read ragged on LDAP for not > being as secure, but then if I understand correctly, LDAP can do more > for you, so, ya, complicated. :-) This is why Microsoft chose to use both for different tasks. LDAP can be made more secure with SSL/TLS, but Kerberos is a very elegant solution to the security issue while retaining the flexibility of an LDAP directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGghrvwRXgH3rKGfMRAs33AJ9pwc+K/6uH5b60dSqhWIEv4mmQQwCfWkDv C/QWh8f00Zp0d2bgkl05ud8= =U2lk -----END PGP SIGNATURE----- _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
