it-admin

The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited.I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user.I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ?LDAP server for user authentication- can be used to store password + other information about users.- useful for simple user authentication requirements where checking of password is all that is required.Kerberos for user authentication- uses security credentials which have a lifetime - LDAP does not have this capability- built in prevention from network replay attacks and protect against other network security concerns - LDAP does not protect against these issues- removes the need to pass any form of password across a network - LDAP requires password transmission- A protocol that alows support for userid/password, token card, smart card authentication and other forms of user authentication - LDAP is only suited to userid/password- works well in a client/server and multi-tier environment especially when using credential delegation or impersonation- can be used to setup a security context between application components on the network - LDAP cannot be used for this.- provide mutual authentication, integrity, confidentiality services - LDAP does not do any of these- makes single signon easy, especially since Microsoft Active Directory does the Kerberos authentication when a user logs onto a MS network- works well in a heterogeneous environment- supported and utilised by a growing number of application vendors and standards- a strategic protocol in many ways because of having many uses - it can even be used very effectively to allow an unattended application to authenticate itself to another application (e.g. ftp -> ftpd).