ldap vs kerberos authentication for idpv3

Cantor, Scott cantor.2 at osu.edu
Mon Feb 8 19:00:45 EST 2016 

On 2/8/16, 3:01 PM, "users on behalf of Paul B. Henson" <users-bounces at shibboleth.net on behalf of henson at cpp.edu> wrote:



>We are finally getting around to working on upgrading to idp v3 (too much to do, too few resources, I'm sure many educational institutions can sympathize <sigh>), and I was curious how many sites authenticate via ldap compared to how many authenticate via kerberos?

LDAP >>> Kerberos, it's safe to say.

>It has a number of characteristics that make it annoying as an authorization source, such as its lack of case sensitivity, it will happily authenticate a mixed case UsERNAme, as well as one with leading or trailing white space, which really confuses an underlying application. We worked around that in idpv2 with client-side JavaScript on the login page, I'm not sure if there was a better way in v2 or is a better way in v3.

Sanitizing the output of the login is formally supported in V3, and there are a lot of less formal hooks for applying transforms to what the user enters before it gets validated, trimming, case folding, regex, etc.

> In any case, we also have a heavily used kerberos deployment on campus that is the authentication back end for our unix systems and our secure nfs deployment. Particularly given I see that SPNEGO is supported in idpv3 I'm seriously considering switching to kerberos for idpv3 and just using ldap for attributes, not authentication.

I certainly advocate it, it's much simpler, faster, more reliable, etc. What people don't like about it is that they think it's a "feature" to let people enter ten different kinds of data and login with any of them.

The latest version has a very poorly tested rewrite that should support service accounts for KDC verification, which looks a lot like SPNEGO and probably should be sharing code with it, but I did all that before I had SPNEGO in front of me.

>But before I did, I thought I'd just see how many people were, and how well it was working for them, and if there were any caveats or concerns I should take into consideration before moving forward with it.

I've used it with V2 with just the old JAAS module for ten years. Primarily with MIT, now switching to an AD. Not thrilled with the move to TCP, but it's been fine so far, just been a few days though.

Anyway, I maintain it should be the go-to choice for the majority of sites, given that the majority now have AD anyway.

-- Scott

More information about the users mailing list