Re: Centralized user-database: LDAP vs. KerberosV5 vs. AFS

To: debian-user@lists.debian.org
Subject: Re: Centralized user-database: LDAP vs. KerberosV5 vs. AFS
From: David Z Maze <dmaze@debian.org>
Date: Thu, 26 Sep 2002 19:00:51 -0400
Message-id: <[🔎] y68elbgnyos.fsf@multics.mit.edu>
In-reply-to: <[🔎] 200209261550.19668.rasa@gmx.ch> (Raffaele Sandrini's message of "Thu, 26 Sep 2002 15:50:19 +0200")
References: <[🔎] 200209261550.19668.rasa@gmx.ch>

Raffaele Sandrini <rasa@gmx.ch> writes:
> LDAP: This is deffinitly a cool method. Its very simple and very secure due 
> its high SSL encryption. And through the possibility of NSS_LDAP virtually 
> every application will automatically support that and due the nature of LDAP 
> you are able to store all sort of information about the user in the LDAP 
> tree.

(I know fairly little about this; my main concerns would be (a)
forcing everything to use SSL, if you really care about this, and (b)
readily getting passwd entries with crypted password strings that an
attacker could run a dictionary attack against.  But for all I know,
LDAP might have a good way of addressing these.)

> KerberosV5: Also a somewhat simple method. Also (very) secure. Has a
> different approach (its ticket system). Is fully compatible with
> AFS. Perhapps compatible with other systems like Win32. But you
> still need a passwd file to store special user data, right?

Kerberos only tries to deal with the problem of matching usernames and
passwords; it doesn't include any support for propagating things like
/etc/passwd.  You'd need some other way to distribute this sort of
data; MIT uses Hesiod (which these days is a slightly hackish layer on
top of DNS), but LDAP could probably also fill this niche.  Kerberos
also addresses the problem of authenticating yourself to various
services; if your mail server is compromised and you just have
password authentication, the attacker now has your password and can
get access to other things, where a compromised Kerberos-using server
only has authenticators that are specific to that server.  (You're
still really hosed if your master KDC is compromised.)

> AFS: The old approach. Somewhat secure. Is also (no, really? :-) )
> compatible with AFS. It uses a modified Krbv4 system. It should be
> also very protable through all sorts of Unixes and Win32. Need of a
> passwd file.

AFS doesn't include its own authentication layer.  It does have its
own user database (via ptserver), but underneath authentication and
encryption are done using Kerberos 4.

> Conclusion: Out of this information i would prefer the LDAP Approach
> but what is if you want to use AFS as distributed filesystem and
> LDAP as user-database? Then you need to maintain 2 user-databases or
> is there a way to get AFS working with LDAP?

I don't know of anything tying AFS/Kerberos/LDAP (or any pair
involving LDAP) directly together, but this doesn't mean it doesn't
exist.  MIT has its own local glue layer (Moira), from which
practically everything else is generated.  I don't think this has been
released into the wild, or really wants to be.  But if you're a Large
Site, doing something like this is probably the way to go.

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

References:
- Centralized user-database: LDAP vs. KerberosV5 vs. AFS
  - From: Raffaele Sandrini <rasa@gmx.ch>

Prev by Date: RE: Konqueror slowness
Next by Date: RE: smb.conf on Debian
Previous by thread: Centralized user-database: LDAP vs. KerberosV5 vs. AFS
Next by thread: Re: Centralized user-database: LDAP vs. KerberosV5 vs. AFS
Index(es):
- Date
- Thread