What is Kerberos

Kerberos is an authentication protocol that is widely used as a component of large scale cross-platform security systems. It is a network authentication protocol that is designed to provide strong authentication, integrity and confidentiality for client/server and multi-tier applications. A Kerberos client obtains a "ticket" from a Key Distribution Center (KDC). This ticket is then used by the Kerberos client to authenticate the client to Kerberos enabled applications.

Kerberos support in the Isode Products

Isode support Kerberos authentication as one of the options in its SASL functionality, used by M-Vault (LDAP) and M-Switch (SMTP). SASL enables a client to send a Kerberos ticket to the server, and thus enables Kerberos authentication.

Isode implements Kerberos support using GSS API, which is a standardized API defined in RFC 2743 provided by Kerberos implementations. While Isode's products can be used with any Kerberos implementation supporting the GSS API, we recommend use of the Kerberos implementation from our partner CyberSafe. The CyberSafe product is a commercially supported and robust implementation, which is available on all of the Isode platforms.

M-Vault supports changing Kerberos password using the LDAP Password Modify extended operation, so that LDAP can be used to manage Kerberos credentials.

Kerberos and LDAP

Kerberos is an authentication system. LDAP can be used for both authentication and authorization. There are many ways that Kerberos and LDAP can be used together. Some of these are described below.

Scenario 1: LDAP use in a Kerberos enabled Organization

Where an organization makes use of Kerberos for authentication, it makes sense for all applications to make use of this authentication. Thus, if such an organization wishes to use LDAP, it will want to use Kerberos authentication of LDAP clients. This is supported directly by the Isode products using SASL.

Scenario 2: LDAP Authorization to support Kerberos Authentication

Where an application, such as a Web application, uses Kerberos authentication, there is often a requirement for specific authorization. LDAP is a straightforward way to achieve this, by use of LDAP attributes in the client entry to control application authorization. In order to achieve this, the application will need to connect to an LDAP directory using SASL authentication. This is a straightforward variant of scenario 1.

Scenario 3: LDAP enabled Application using Kerberos Authentication

Some applications have built in LDAP authentication and authorization. Where an organization is using Kerberos authentication, this is problematic, as the application cannot be used directly. This application can be integrated by using proxy authentication support in the LDAP server, where the LDAP server handles the authentication request by passing it on to Kerberos.

Isode is considering adding support for this scenario. Let us know if you require this support.

Scenario 4: Organization with mixed Authentication methods

Many organizations end up using multiple authentication methods. Consider an organization that uses Kerberos for some users and username/password for others. In this situation, the application can prompt the user for a username, and then use LDAP to access the directory to identify the user and the authentication mechanism that is used by that user. If the user has simple password authentication, the application can prompt the user for a password and perform simple password based authentication using LDAP. If the user has Kerberos authentication, a ticket can be obtained (if one is not already available) and Kerberos authentication used.

In this scenario, LDAP Password modify can be used to change passwords for users, with a single mechanism common to all users.