[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is Openldap a Authorization or Authentication system?

To: joe <joe@joeware.net>, Chris Jacobs <Chris.Jacobs@apollo.edu>
Subject: Re: Is Openldap a Authorization or Authentication system?
From: Howard Chu <hyc@symas.com>
Date: Tue, 11 Aug 2015 14:32:38 +0100
Cc: Kaushal Shriyan <kaushalshriyan@gmail.com>, Nick Milas <nick@eurobjects.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <CAMO_Sdeefmz2UXNrAJJaCQvcAoRkSLo1BbrSWSi6i=6z0rTLFw@mail.gmail.com>
References: <CAD7Ssm-X0ORQGHkEZo02qUb0tdcae3nMZCxS1NrEZTcJCFHw4w@mail.gmail.com> <55C893F5.70505@eurobjects.com> <CAD7Ssm9GAKV39_MubuFMTR809nxA-==25zgXZa-t15JKvQvmWQ@mail.gmail.com> <6C447584419BFE4E83D46E88F8131486D7A94580E3@EXCH07-05.apollogrp.edu> <CAMO_Sdeefmz2UXNrAJJaCQvcAoRkSLo1BbrSWSi6i=6z0rTLFw@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 SeaMonkey/2.37a1

joe wrote:

Standard Windows Active Directory AuthN/AuthZ isn't LDAP. It is Kerberos (and
NTLM). It uses the LDAP Directory in the backend for its database to store
credentials and group mapping as well as any other relevant data for the users
and other objects as LDAP/DAP Directories were intended to be used.

While LDAP protocol can be used for authentication, Kerberos is the expected
to be the safer authentication mechanism as no passwords are transferred in
the requests as they are with LDAP authentication. When you log on with
Windows to Active Directory, a Kerberos authentication occurs and the ticket
is then passed with any/all LDAP requests after that to access data in AD, or
on other servers.

That's quite a mischaracterization, as "LDAP authentication" isn't just anyone particular mechanism. E.g., you can authenticate to LDAP using Kerberostickets as well, using SASL/GSSAPI.

And while Kerberos is only an authentication mechanism, it is not the onlyauthentication mechanism that exists. E.g., you can achieve analogousfunctionality using X.509 certificates.

That being said, some applications (generally *NIX apps) will authenticate to
Active Directory with LDAP. If this is done, the Domain Controllers should
have PKI certs on them and LDAPS or TLS should be used to secure the LDAP
traffic otherwise the passwords are going across the network in clear
text.Better is to use Kerberos which is possible via the open source kerb
packages as well as there are several third party vendors now producing
products to do it properly (and easily) including Dell (via Vintela/Quest
product), Centrify, and BeyondTrust.

Again, a clear misunderstanding of the underlying technologies. Kerberos asused in LDAP also provides for securing of traffic, you don't need TLS if youhave GSSAPI. And vice versa, TLS can be used both for the actualauthentication step (using X.509 certs, as noted above) as well as forsecuring the traffic.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Is Openldap a Authorization or Authentication system?
  - From: Kaushal Shriyan <kaushalshriyan@gmail.com>
- Re: Is Openldap a Authorization or Authentication system?
  - From: Nick Milas <nick@eurobjects.com>
- Re: Is Openldap a Authorization or Authentication system?
  - From: Kaushal Shriyan <kaushalshriyan@gmail.com>
- RE: Is Openldap a Authorization or Authentication system?
  - From: Chris Jacobs <Chris.Jacobs@apollo.edu>
- Re: Is Openldap a Authorization or Authentication system?
  - From: joe <joe@joeware.net>

Prev by Date: Re: Is Openldap a Authorization or Authentication system?
Next by Date: Re: Replication speed and data sizing (mdb)
Index(es):
- Chronological
- Thread