Why use kerberos when you can do authentication and authorization through ldap? [closed]

Question

We are debating on the use of kerberos in big data cluster that we have. Our admin wants to use ldap for authentication and authorization. I looked up into the internet and got mixed response but there was no clear understanding for the reason to use kerberos.

I understand that you can use kerberos along with ldap but I didn't get clear picture of benefits of using kerbors + ldap vs just ldap. Can anyone explain please?

Answer 1

Kerberos is the inside-the-corporate-network industry standard single sign-on protocol. LDAP was always more of a directory look-up protocol. However, LDAP can also do authentication, as the authentication aspect of it was bolted on some years after the protocol itself was conceived. With LDAP authentication, and every authentication attempt is going to cause a load on the Directory authentication server, so in that sense, it could hammer your Directory authentication server often. With kerberos, after the first authentication, the client holds a ticket that will be good for a default of 10 hours so that additional authentication attempts do not have to overload your Directory authentication server again. And the client will take care of getting authentication "tickets" to target resources, rather than the application server doing this on behalf of clients, which is what those application servers have to do if LDAP authentication mechanism is in play. Additionally, LDAP, if not configured correctly, will send authentication attempts in the clear text. Even if you configure to do encrypted authentication over LDAPS, which you'll then need to get an SSL certificate to do that, then you also have to get around the problem of storing the username/password on any application server in plain text, unless someone takes the extra steps to encrypt that. In short, as an authentication protocol Kerberos is far more secure out of the box, is de-centralized, and will put less load on your Directory authentication servers than LDAP will. Kerberos in pure Microsoft Active Directory environments will do both authentication and authorization for you, while directory look-ups is always LDAP. Also, LDAP is not single sign-on. Users must always manually enter username/password while with Kerberos they do not have to do this.

Now if you use Kerberos for authentication and LDAP for directory look-ups, and/or group-based authorization, than that is the Best Practice, as LDAP was originally designed per the RFCs as a directory lookup protocol only. In fact, when you use a tool such as the "Active Directory Users and Computers" utility, what happens when you use it is exactly this: you pass a Kerberos authentication in order to allow yourself to query the AD LDAP service, and then your LDAP query from that point forward is just pure LDAP. In mixed environments consisting of both Windows and say for instance Linux, then you can always use Kerberos for authentication but that takes some more doing on the application side, for instance you'll need a keytab generated for you by the AD admin, but group-based authorization will have to be LDAP and of course directory look-ups is always LDAP.

Your admin probably wants you to use straight LDAP all the way around because that is the easier route to stand up - he just needs to give you an AD user account credentials which you then have to take and configure on your application side to allow users to login and then allow group-based authorization and then query the directory over LDAP.

This question really involves a deep understanding of Kerberos versus LDAP, and there's so much more to say and read about but I'll need to leave it at this for now and provide you with a link: Kerberos vs. LDAP for authentication