Aleksander Adamowski wrote:
Hi!
I'm working on my master's thesis and the subject I've chosen is
researching the viability of integrating Kerberos and LDAP on protocol
level to eliminate the disparity between them.
The problems resulting from disparate protocols for authentication
(Kerberos) and authorization and generic data access in a directory
(LDAP), encountered during deployment of various LDAP and Kerberos
implementation, have led me to believe that the separation of Kerberos
from LDAP is an artificial result of history of both protocol's
development and it actually hurts the adoption of both.
The solution in my opinion is to make use of LDAP protocol's
extensibility and implement all Kerberos operations on top of LDAP
using its extended operations mechanism. This way we'd eliminate need
to support differing carrier protocol working on different ports,
using different data structures/encodings.
Using a common database would be much easier as the protocols would
have to be implemented in the single codebase, instead of being
supported by separate products from different teams (like e.g. MIT Krb
5 + OpenLDAP).
Heimdal+OpenLDAP works a lot better, and has for 8-9 years already...
This of course has already been accomplished by you in the Apache DS
project - however, I think one step further could be taken in the
integration, namely elimination of separate network protocols.
What you're talking about here would essentially create a new protocol that
has to displace the two existing protocols in order to get any use. That seems
pretty unlikely to happen, especially since Kerberos has already been
incorporated into LDAP's (many) authentication mechanisms.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
