cyberp70 <[EMAIL PROTECTED]> writes: > We currently use Kerberos for authentication for almost everything on > our network. Some people here are advocating switching to using LDAP > for authentication (we already have a pretty well developed LDAP > infrastructure). This would of course require everyone to change their > password as well the trauma of recoding applications that currently use > Kerberos and haven't been converted to using PAM.
LDAP "authentication" is actually nothing more or less than using your LDAP directory servers as a giant distributed /etc/shadow file. You can put the password checking in various places, but in the end you're basically taking a step backwards towards something more like the historical Unix authentication mechanism. This means you lose all of the benefits of Kerberos (reusable credentials, passwords never crossing the network encrypted or not, ticket forwarding, etc.) in favor of something that's basically secure NIS. If secure NIS is something you're happy with, hey, great, but to me it feels like 1980s security technology, long-since obsolete. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
