Firewall Wizards mailing list archives
RE: LDAP and Kerberos?
From: Christopher Hicks <chicks () chicks net>
Date: Mon, 20 Sep 2004 12:27:14 -0400 (EDT)
On Mon, 20 Sep 2004, Melson, Paul wrote:
-----Original Message----- On Mon, 20 Sep 2004, Melson, Paul wrote:I'm not sure you've given enough information about your back end architecture to say for sure,I'm not sure what else to say about the architecture. I'll be happy to answer any questions though.Specifically, what else besides the web application will you be authenticating? How many users? If the primary goal of this directory is to provide authentication for this web app. plus maybe admin services, then Kerberos is a waste of time since it's not compatible with the web app.
About 200 users currently. The LDAP server will be used for authenticating a handful of web apps (one of which is bugzilla and several others we've written in house), autenticating Linux/UNIX shell users across a dozen boxes, and supporting distributing authoritative sendmail across an array of three boxes widely geographically distributed. So, kerberos gets me nothing for sendmail or bugzilla as far as I know. I'm sure the Linux login piece could be kerberized, but since the primary login method for 98% of the users is across the web there's not going to be any useful single logon. Oh, I do want to do samba through LDAP at some point.
The advantage of mutual authentication is that it prevents playback spoofing and man-in-the-middle attacks. It's designed to make it difficult for a third system to get access to services by eavesdropping or otherwise intercepting or interfering with the authentication process.
Ah, so I can setup my own CA and accomplish most of the same thing. I see now. Thank you.
-- </chris>There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- LDAP and Kerberos? Christopher Hicks (Sep 17)
- <Possible follow-ups>
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- Re: LDAP and Kerberos? ArkanoiD (Sep 22)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- RE: LDAP and Kerberos? Melson, Paul (Sep 21)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)
- Re: LDAP and Kerberos? Mason Schmitt (Sep 27)
- RE: LDAP and Kerberos? Christopher Hicks (Sep 21)