On Thu, Sep 08, 2005 at 12:04:33PM +0200, Geert Hendrickx wrote:
> Ok then.  I was just looking into LDAP authentication and I noticed that
> the version in 2005Q2 is vulnerable.  But anyway, I think I can better go
> with Kerberos, right?  

I think that Kerberos is probably a better direction to head. One of the
big problems IMO is the fact that LDAP is a bit harder to secure than
Kerberos. Yes, you can use ACLs and SSL to secure LDAP, but in the end
LDAP is for public data... Kerberos, well, is not. :-)

So, why not use Kerberos for passwords, and LDAP or NIS for NSS
information?

I found this site really useful/informative:
``Replacing NIS with Kerberos and LDAP HOWTO''
http://www.ofb.net/~jheiss/krbldap/howto.html

In addition, kerberos is a pre-req for things like kerberized NFS,
NFSv4, OpenAFS, and other things. Once you have kerberos setup, you can
setup ssh to allow for authentication via your tickets. Throw in
mod_auth_kerb and you can get SSO web applications. (That howto goes
through kerberizing OpenLDAP.) Once you get all your applications
kerberized, as long as you have a ticket you could SSO everywhere.

David

-- 
David Stipp <dstipp@coolhack.net>