Standard Windows Active Directory AuthN/AuthZ isn't LDAP. It is Kerberos (and NTLM). It uses the LDAP Directory in the backend for its database to store credentials and group mapping as well as any other relevant data for the users and other objects as LDAP/DAP Directories were intended to be used.
While LDAP protocol can be used for authentication, Kerberos is the expected to be the safer authentication mechanism as no passwords are transferred in the requests as they are with LDAP authentication. When you log on with Windows to Active Directory, a Kerberos authentication occurs and the ticket is then passed with any/all LDAP requests after that to access data in AD, or on other servers. That being said, some applications (generally *NIX apps) will authenticate to Active Directory with LDAP. If this is done, the Domain Controllers should have PKI certs on them and LDAPS or TLS should be used to secure the LDAP traffic otherwise the passwords are going across the network in clear text.Better is to use Kerberos which is possible via the open source kerb packages as well as there are several third party vendors now producing products to do it properly (and easily) including Dell (via Vintela/Quest product), Centrify, and BeyondTrust. For the OpenLDAP/Kerberos bits... See http://www.linux-mag.com/id/4738/ http://www.linux-mag.com/id/4765/ http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_ldap.html To get started. joe -- O'Reilly Active Directory Fifth Edition - http://link.joeware.org/AD5E Blog: http://blog.joeware.net On Mon, Aug 10, 2015 at 11:53 AM, Chris Jacobs <[email protected]> wrote: > I can be used for any of it. > > > > Here, we use OpenLDAP for authentication (login) and authorization (who > can login via sshd allowed groups, who can sudo) on our group's systems – > this requires the information being available as well as configuring the > clients to USE that information. We also use it to store inventory data > which is neither authn or authz (hey, OpenLDAP is a decent hammer and the > problem at the time looked like a nail). > > > > Corporate uses Microsoft Active Directory (based on LDAP) – which is used > for authn, authz, and a plethora of other uses (mail settings, location > info, managing host 'members', etc). > > > > Perhaps googling "what is LDAP for" would be a good place to start with > your questions. > > > > - chris > > > > *From:* openldap-technical [mailto:[email protected]] > *On Behalf Of *Kaushal Shriyan > *Sent:* Monday, August 10, 2015 5:16 AM > *To:* Nick Milas <[email protected]>; [email protected] > *Subject:* Re: Is Openldap a Authorization or Authentication system? > > > > Hi Nick, > > > > Thanks for the explanation. Does AAI mean Authentication Authorization > Identity and SSO mean Single Sign On? > > As per your example of OpenLDAP + Kerberos or Radius. is Openldap used > for Authentication and Kerberos or Radius server for Authorization? Please > clarify. > > > > Regards, > > > > Kaushal > > > > On Mon, 10 Aug 2015 at 17:37 Nick Milas <[email protected]> wrote: > > On 10/8/2015 2:16 μμ, Kaushal Shriyan wrote: > > > I am not sure if i understand the difference between Authorization and > > Authentication. Does Openldap support both or it supports or > > configured as Authorization or Authentication server? I will > > appreciate if somebody can help me understand with some examples. > > > > > > From Wikipedia: "Authentication is the act of confirming the truth of > an attribute of a datum or entity. This might involve confirming the > identity of a person or software program, tracing the origins of an > artifact, or ensuring that a product is what its packaging and labeling > claims to be." That's how we know who an application talks to. > > From Wikipedia: "Authorization is the function of specifying access > rights to resources." After authentication we know the person, but we > still unsure whether it's supposed to access a given resource and hence > the need for authorization. > > To get to know Openldap, read: http://www.openldap.org/doc/admin24/ > > Everything depends on what you are trying to do, your project needs. > > An example for AAI services would be something like OpenLDAP + Kerberos > or Radius. Google for AAI / SSO systems. > > Best regards, > Nick > > > ------------------------------ > This message is private and confidential. If you have received it in > error, please notify the sender and remove it from your system. >
