I'm working on a project now where I have a CMS with a plugin that allows me to authenticate users via LDAP. So far, so good. I built out an LDAP server. The plugin works. I am authenticating. The client has been talking about using LDAP for authorization and Kerberos for authentication (even though the LDAP authentication is already working). From what I can tell, kerberos is really for authenticating a user who is trying to access some particular host machine. Is that correct? Or am I missing something? LDAP seems adequate so far. I don't know why I need another layer. I know I can use Kerberos and use LDAP as the principles database, but I don't know what that would actually get me that LDAP isn't already giving me.
1 Answers
0
votes
Kerberos allows you to do Single-Sign on natively in some cases.
For example, you logged into your Windows PC using a corporate username/password.
If you run klist command on Windows, it'll show that just by logging into your PC you already have a kerberos ticket for your domain (Active Directory) "principal".
When a user then goes to an internal web server, that is part of the same corporate Kerberos/AD domain, then it's possible to bypass re-authentication (that's why it's a single-sign on).
Then you can do authorization based on LDAP groups or some other methods.
Kerberos makes a lot sense to use in larger corporations, as they most likely already have AD with all the corporate security rules around it. SSO is also more convenient.
