Mantas Mikulėnas grawity at gmail.com
Mon Nov 5 17:33:34 AEST 2018

On Mon, Nov 5, 2018 at 9:24 AM Mantas Mikulėnas <grawity at gmail.com> wrote:
> > > In my experience LDAP is preferred in a pure *nix environment these
> > > days. I've never played much with Kerberos.
> >
> > Does that mean that the authentication is also done across LDAP?  I hope
> > that it's encrypted LDAP.

I replied to the second sentence, but missed the first one. Yes, many
places use LDAP for authentication.

Although strictly speaking LDAP is not an *authentication* protocol,
but it *is* a read/write protocol: the way you make updates to the
directory isn't by rebuilding it from a textfile, but by
authenticating and sending updates via LDAP itself. Naturally this
supports TLS for encrypting the channel.

Normally it isn't just the sysadmin who can do so, but every user can
also authenticate as themselves (i.e. "bind" to their own entry in
LDAP terms). Maybe they can't edit anything at all, maybe they can
edit only their own finger information, but they're usually able to
authenticate nevertheless.

And so many installations just turn this backwards and declare "If you
can successfully bind to the LDAP database, you must be a valid user".

Mantas Mikulėnas

More information about the TUHS mailing list