Kerberos vs LDAP - Which is more secure for authentication?
Can you describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment?
And Can we switch between them transparently?
Kerberos vs LDAP
- LDAP authentication is centralised authentication, meaning you have to login with every service, but if you change your password it changes everywhere.
- Kerberos is single sign-on (SSO), meaning you login once and get a token and don't need to login to other services.
- There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.
- There's no right answer. If you need SSO use Kerberos. Else LDAP. You could also consider YP/NIS (over IPSEC) for centralised authn.
- The fact that the OpenBSD security hawks dropped Kerberos but made their own LDAP server might tell you something... Can we switch between them transparently?
- No, you cannot. Well, maybe you can with PAM. But your users will notice.