[Moritz Molle] > I see the problem just in having redundant data in many databases > scattered around the system. i don't really get, why this is better > than not using kerberos at all and authenticating like in > skole5/lenny against the ldap.
Kerberos provide two major advantages. The most important one is single signon, which mean you can log in once and use the credentials you get during login to log into web services or other services around the net without having to provide username and password again. The second most important one is how the password checking is done. With simple LDAP bind, the password is sent over to the server for checking. If we did not enforce the use of encrypted LDAP connections, the password could be sent in clear text. With kerberos the password is never sent to the server (the password is used to encrypt the current time - if the server also know the password, it can confirm that the correct password is used), thus making it safe to try to log into any server - also those that are not to be trusted. So we are definitely moving to Kerberos, it just take some time before we kan reap all the advantages. There is a reason why Windows uses Kerberos all over the place too. :) It is a very good method to check passwords. :) -- Vennlig hilsen Petter Reinholdtsen -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
