[TriLUG] LDAP ?

Magnus magnus at trilug.org
Thu Jan 18 13:13:51 EST 2007


Patrick Brewer wrote:

> So what are the downsides to using LDAP for authentication?

source:
http://www.cites.uiuc.edu/roadmaps/authentication/whitepaper.html#ldap

> LDAP authentication refers to using what's called a "bind operation"
> within the LDAP protocol. The password is passed from the user's
> client to the application that supports LDAP authentication, and then
> that application attempts to bind to an LDAP server as that user. If
> the bind succeeds, the password is verified. Note that even if the
> password is transmitted from the user's client to the application,
> and then transmitted from the application to the LDAP server, over
> encrypted channels, the password is still available to the
> application in cleartext between coming from the client and being
> passed on to the LDAP server.
> 
> Thus LDAP authentication has the weakness that any application using
> that form of authentication has access to the cleartext password of
> any user attempting to access the application. A compromise of the
> application or the server upon which it runs could expose users’
> passwords. LDAP authentication therefore presents an additional set
> of security challenges that have yet to be worked out. This provides
> a good argument for choosing either WebISO or Kerberos where
> feasible, with the WebISO approach in particular strongly preferred
> for web browser-based authentication.


-- 
Trying to figure out what to do with big heavy and retired Sun servers
in the Raleigh area? Drop me a note.



More information about the TriLUG mailing list