directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Implementing Kerberos on top of LDAP extended operations
Date Sat, 10 Jan 2009 17:50:20 GMT

Aleksander Adamowski wrote:
> Hi!
> I'm working on my master's thesis and the subject I've chosen is
> researching the viability of integrating Kerberos and LDAP on protocol
> level to eliminate the disparity between them.
That's sound a good idea !
> The problems resulting from disparate protocols for authentication
> (Kerberos) and authorization and generic data access in a directory
> (LDAP), encountered during deployment of various LDAP and Kerberos
> implementation, have led me to believe that the separation of Kerberos
> from LDAP is an artificial result of history of both protocol's
> development and it actually hurts the adoption of both.
It's also due to some technical factors : Kerberos is not based on TCP 
only as LDAP is, and LDAP is a Directory protocol when Kerberos is just 
meant to manage authentication. Also Kerberos has been defined back in 
1983, when X500 was developped in 1991, so it's pretty natural that 
Kerberos is not based on LDAP from its inception.
> The solution in my opinion is to make use of LDAP protocol's
> extensibility and implement all Kerberos operations on top of LDAP
> using its extended operations mechanism. This way we'd eliminate need
> to support differing carrier protocol working on different ports,
> using different data structures/encodings.
That's all good, but it should be seen as an extension, as many 
component are already 'kerberized' the ancient way.
> Using a common database would be much easier as the protocols would
> have to be implemented in the single codebase, instead of being
> supported by separate products from different teams (like e.g. MIT Krb
> 5 + OpenLDAP).
> This of course has already been accomplished by you in the Apache DS
> project - however, I think one step further could be taken in the
> integration, namely elimination of separate network protocols.
I agree.
> I've written a blog post on this subject over a year ago
> ( - since then the idea has evolved a
> bit in my head. However, I'd be interested about your opinion about it
> before I move to work on it in full scale.
Btw, on you blog, you mentionned that ADS performances were really poor. 
This was based on some metrics based on ADS 1.0.1, from a test done by 
Qanah Gibson. Since then, a lot of effort have been put to improve 
performance. For instance, using ADS 1.0.1, you were able to do around 
200 search requests per second on a laptop, this number has been 
improved to 4500 req/s with ADS 1.5.4. And it's not over !

At this point, it's still clear that OpenLDAP is the clear leader. We 
have done some more benchmarks, and OpenLDAP is _at least_ twice faster 
than ADS. But we are working on improving ADS ;)
> I plan to develop specifications for the new LDAP protocol extensions,
> to be published in RFC-compatible form, then I'd like to develop a
> proof of concept server-side implementation (based on Apache DS
> because of its well thought out architecture) and client-side
> implementation (possibly a PAM authentication module).
> So what do you think of this idea? Can I count on advice and pointers
> when developing relevant interceptors for Apache DS?
Sure ! Be aware that our current Kerberos implentation might be lacking 
too, and may be improved. But in any case, that's an interesting proposal !

Thanks !

cordialement, regards,
Emmanuel L├ęcharny

View raw message