Aleksander Adamowski wrote:
Hi!
I'm working on my master's thesis and the subject I've chosen is
researching the viability of integrating Kerberos and LDAP on protocol
level to eliminate the disparity between them.
That's sound a good idea !
The problems resulting from disparate protocols for authentication
(Kerberos) and authorization and generic data access in a directory
(LDAP), encountered during deployment of various LDAP and Kerberos
implementation, have led me to believe that the separation of Kerberos
from LDAP is an artificial result of history of both protocol's
development and it actually hurts the adoption of both.
It's also due to some technical factors : Kerberos is not based on TCP
only as LDAP is, and LDAP is a Directory protocol when Kerberos is just
meant to manage authentication. Also Kerberos has been defined back in
1983, when X500 was developped in 1991, so it's pretty natural that
Kerberos is not based on LDAP from its inception.
The solution in my opinion is to make use of LDAP protocol's
extensibility and implement all Kerberos operations on top of LDAP
using its extended operations mechanism. This way we'd eliminate need
to support differing carrier protocol working on different ports,
using different data structures/encodings.
That's all good, but it should be seen as an extension, as many
component are already 'kerberized' the ancient way.
Using a common database would be much easier as the protocols would
have to be implemented in the single codebase, instead of being
supported by separate products from different teams (like e.g. MIT Krb
5 + OpenLDAP).
This of course has already been accomplished by you in the Apache DS
project - however, I think one step further could be taken in the
integration, namely elimination of separate network protocols.
I agree.
I've written a blog post on this subject over a year ago
(http://olo.org.pl/dr/kerbeldap) - since then the idea has evolved a
bit in my head. However, I'd be interested about your opinion about it
before I move to work on it in full scale.
Btw, on you blog, you mentionned that ADS performances were really poor.
This was based on some metrics based on ADS 1.0.1, from a test done by
Qanah Gibson. Since then, a lot of effort have been put to improve
performance. For instance, using ADS 1.0.1, you were able to do around
200 search requests per second on a laptop, this number has been
improved to 4500 req/s with ADS 1.5.4. And it's not over !
At this point, it's still clear that OpenLDAP is the clear leader. We
have done some more benchmarks, and OpenLDAP is _at least_ twice faster
than ADS. But we are working on improving ADS ;)
I plan to develop specifications for the new LDAP protocol extensions,
to be published in RFC-compatible form, then I'd like to develop a
proof of concept server-side implementation (based on Apache DS
because of its well thought out architecture) and client-side
implementation (possibly a PAM authentication module).
So what do you think of this idea? Can I count on advice and pointers
when developing relevant interceptors for Apache DS?
Sure ! Be aware that our current Kerberos implentation might be lacking
too, and may be improved. But in any case, that's an interesting proposal !
Thanks !
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
