directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Chu <>
Subject Re: Implementing Kerberos on top of LDAP extended operations
Date Sat, 10 Jan 2009 21:59:09 GMT
Aleksander Adamowski wrote:
> Hi!
> I'm working on my master's thesis and the subject I've chosen is
> researching the viability of integrating Kerberos and LDAP on protocol
> level to eliminate the disparity between them.
> The problems resulting from disparate protocols for authentication
> (Kerberos) and authorization and generic data access in a directory
> (LDAP), encountered during deployment of various LDAP and Kerberos
> implementation, have led me to believe that the separation of Kerberos
> from LDAP is an artificial result of history of both protocol's
> development and it actually hurts the adoption of both.
> The solution in my opinion is to make use of LDAP protocol's
> extensibility and implement all Kerberos operations on top of LDAP
> using its extended operations mechanism. This way we'd eliminate need
> to support differing carrier protocol working on different ports,
> using different data structures/encodings.
> Using a common database would be much easier as the protocols would
> have to be implemented in the single codebase, instead of being
> supported by separate products from different teams (like e.g. MIT Krb
> 5 + OpenLDAP).

Heimdal+OpenLDAP works a lot better, and has for 8-9 years already...

> This of course has already been accomplished by you in the Apache DS
> project - however, I think one step further could be taken in the
> integration, namely elimination of separate network protocols.

What you're talking about here would essentially create a new protocol that 
has to displace the two existing protocols in order to get any use. That seems 
pretty unlikely to happen, especially since Kerberos has already been 
incorporated into LDAP's (many) authentication mechanisms.

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

View raw message