On Mon, Sep 15, 2008 at 9:43 PM, Howard Chu hyc@symas.com wrote:
That's a pretty empty statement. "More secure than LDAP" creates the false implication that there is something inherently insecure about LDAP storage. In fact anything stored in LDAP is as secure as you choose to make it. And of course, there are plenty of sites out there running Kerberos using LDAP as the data store of their KDC.
Using LDAP as the data store for your KDC reduces its' security.
I respect that the OpenLDAP community works hard that OpenLDAP is a secure solution for centralized authentication on its' own, but respectfully, it would scare me if the OpenLDAP community was not aware that LDAP was not intended to be an authentication store. LDAP's job is Authorization.
To call such a statement empty and FUDly is pretty rude - it's fact.
LDAP is a directory, it's designed for tracking information about things. It can store secrets, but it isn't designed, like Kerberos, to carefully control access to secrets. If your Kerberos secrets are stored in LDAP, you are losing some of what Kerberos gives you.