Kerberos vs LDAP - Which is more secure for authentication?

161    Asked by AlisonKelly in Cyber Security , Asked on Apr 6, 2022

Can you describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment?

And Can we switch between them transparently?

Answered by Amit Sinha

Kerberos vs LDAP

  • LDAP authentication is centralised authentication, meaning you have to login with every service, but if you change your password it changes everywhere.
  • Kerberos is single sign-on (SSO), meaning you login once and get a token and don't need to login to other services.
  • There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.
  • There's no right answer. If you need SSO use Kerberos. Else LDAP. You could also consider YP/NIS (over IPSEC) for centralised authn.
  • The fact that the OpenBSD security hawks dropped Kerberos but made their own LDAP server might tell you something... Can we switch between them transparently?
  • No, you cannot. Well, maybe you can with PAM. But your users will notice.

Your Answer


Parent Categories