Kerberos vs. LDAP for authentication -- which one is more secure

  • Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment?

    And

    Can we switch between them transparently?

    In what context are you looking to use Kerberos/LDAP auth? Is it for a web app, client app, etc.?

    Authenticating client computers over a domain , for different services and resources access

    Kerberos is more secure because it prevents lateral escalation

  • user2320464

    user2320464 Correct answer

    5 years ago

    Where possible use Kerberos authentication above all else. It was built for providing authentication/authorization and is the most secure option. The whole premise is to exchange credentials in an environment that isn't trusted.

    LDAP can be easily misconfigured to send credentials in clear text over the network. An easy way to prevent this is always use LDAPS (TCP636) as it encapsulates all traffic in SSL. LDAP is often used for adhoc authentication/authorization especially web applications using forms authentication.

    Kerberos was not designed to provide authorization. It is an authentication system. Hence, it should be used as an authentication system alone.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM