Dax Kelson <[email protected]> writes: > Don't most people use Kerberos in conjunction with LDAP? Also isn't it > typical to have LDAP server doing passthrough authentication (for simple > bind operations) to the KDC?
I certainly hope not. I suspect that it's far more common than I'd like, but it's a violation of the Kerberos security model and exposes the user's password to rather more systems than should need to see it. We require GSSAPI binds for all authenticated access to our LDAP servers and don't allow simple binds at all except for anonymous binds. The correct way of using Kerberos is for the user's credentials to never leave the local system. In practice, it's an ideal that usually can't be reached, but every place where the Kerberos password leaves the local system and is validated on a remote system is a place that's going to break when you want to switch to something better than passwords, such as smart-card authentication. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
