Cover V13, i07

Article

jul2004.tar

syslog

We recently mailed our annual Readers' Survey to a subset of subscribers. If you received one, I encourage you to fill it out and return it to us. We value the feedback from readers. On that note, we received some comments in response to the coverage of LDAP in our May issue and, because of space constraints this month, I'm excerpting one of the letters here. Alf Wachsmann wrote:

While reading the two articles about LDAP in your May 2004 issue of the Sys Admin magazine I became rather angry: LDAP can NOT be used securely as an authentication system! If someone is looking for alternatives for their current system, look at Kerberos 5 (MIT or Heimdal).

Also, NIS is not insecure per se. It is insecure as an authentication system but has no problems with security as an authorization system (use "securenets" and block NIS ports on your firewall).

The real shortcoming of LDAP when used for authentication is the fact that encrypted passwords travel over the wire. Modern authentication systems, like Kerberos 5, do not do this. LDAP also cannot provide mutual authentication mechanisms for services. Kerberos has many more built-in security features like a replay cache or pre-authentication.

Hal Pomeranz, our technical editor, responded as follows:

    Given the way the articles turned out, your criticisms are generally well founded. We had hoped to include information on SASL binding between LDAP clients and servers, but that did not happen. Once the client-server communication is fully encrypted and there's strong authentication between the LDAP client and server, I actually consider LDAP to be a reasonably secure (though not perfect) authentication system, but unfortunately that was not the full scenario presented in the articles. We hope to acquire a follow-up piece to complete the picture.

    That being said, I'm also a big fan of Kerberos for authentication. What's always been interesting to me has been the perception of Kerberos as "hard" to do, and yet sites seem to be willing to invest as much or more effort in converting over to LDAP-based systems for authentication. I suspect this is because there are a lot of "canned" NIS to LDAP migration tools out there, so people perceive that the transition is smoother. Or it could be the lack of a clear general naming services choice for Kerberos (whither Hesiod?) -- people know that they need to store more than just basic authentication information, so LDAP seems attractive as a "single source" for all of their network data. Again, I think it's a perception more than reality perhaps.

    I'd frankly be interested in more Kerberos-related content in Sys Admin magazine. In fact I'd dearly love somebody to write an article describing how to authenticate Unix Kerberos clients to Active Directory servers and have a single login for users across the Unix and Windows domains.

If you're interested in writing an article for Sys Admin magazine on Kerberos, LDAP, or some other topic, or simply have feedback to share, please send your proposals to Rikki Endsley (rendsley@cmp.com) and your comments to me (aankerholz@cmp.com). We look forward to hearing from you.

Sincerely yours,

Amber Ankerholz
Editor in Chief

 
© 2005 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com