Throughout human history, there have been many revolutions that transformed our society completely. The internet was behind one of the more recent revolutions as it essentially changed how we think about and connect with the whole world. It brought forth new frontiers in not just communication but scientific, educational, and interpersonal progress, to name just a few.
However, a revolutionary technology like the internet has smaller working parts at its very foundation. For example, the consistent data transfer and requests over the internet happen securely thanks to robust computer networking protocols. While most such protocols are standard globally, a user can choose certain protocols according to their preference. For user authentication over a network, for example, some use LDAP, while some prefer Kerberos.
This article will dive into LDAP and Kerberos to understand how both protocols work and their different use cases. It will also see what advantages one offers over the other and paint a picture of the fundamental differences between the two internet protocols.
Understanding LDAP And How It Works
User authentication is an integral part of the internet’s workings and fundamental to a network’s security. It is essential, especially for private networks, like VPNs hosted by enterprises, where their resources and data are intended to be accessed only by their employees. For such a scenario, most protocols rely on maintaining a database of user credentials and authenticating them when the need arises. One such protocol is LDAP.
Short for Lightweight Directory Access Protocol, the protocol is used for many other uses except user authentication, such as adding or deleting credentials or searching for information. LDAP works mainly with directory servers, databases that save information as a tree of credentials rather than regular rows and columns. All of such servers, like ApacheDS and Microsoft Active Directory, support LDAP.
The tree structure of directory servers helps with implementing the hierarchical structure all enterprises have. User information is saved along with their designation with the hierarchy. Searching through the directory servers with LDAP is supported by including several intelligent filters such as approximate match with given information and time limit for the search. LDAP is also capable of processing multiple requests from the same client in parallel.
LDAP supports additional information within its requests or responses that tell more about them or give direction over their interpretation. Such information includes instructions for the server if it fails to recognize such additional information or cannot implement it. With LDAP, the number of individual databases managed by an enterprise can decrease significantly, and it also allows for multiple independent directories.
Unraveling The Workings Of Kerberos
Named after the three-headed guard dog of the Underworld in Greek mythology, Kerberos was initially developed by MIT in the early ’90s. Over time, it has found much wider acceptance and has emerged as the most widely used authentication and authorization protocol currently used. MIT maintains and implements Kerberos, and it even comes shipped with all the major operating systems like Windows, Mac, and Unix systems.
The main objective with Kerberos was not to rely on a secure network as a prerequisite for providing user authentication. However, it does require that the host is trusted if the network is not trustworthy. Kerberos will be rendered useless if, for example, if someone obtains privileged access to the server. Such a scenario is bad news for any user authentication protocol, even if it’s Active Directory in the cloud.
MIT formed Kerberos and its strategies after analyzing different authentication scenarios that can arise. Some of the key aims of its strategies are:
- The user’s password must not travel over the network, must not be stored on the client’s machine, and should never exist in its unencrypted form.
- Kerberos will ask for the password once per work session, and then that is going to be used for whatever authentication purposes (called Single Sign-on)
- Once authentication and authorization processes are completed, Kerberos will establish an encrypted connection between client and server by generating and exchanging an encrypted key.
The above strategies have led to Kerberos implementing a robust authentication and authorization mechanism that is preferred more than its peers. However, users can always choose other options. One of the popular choices apart from Kerberos is deciding to set up an Active Directory domain.
LDAP vs. Kerberos - Difference Explained
Both LDAP and Kerberos are trendy choices for user authentication protocols over all different kinds of private networks. However, choosing between the two will require going through their main differences. Only then can an enterprise decide whether the former or the latter is more well-suited for their authentication and authorization needs.
Given below are the main differences between the two popular protocols:
- Different Aims and Objectives: Kerberos and LDAP were invented and continue to serve very different use cases. While Kerberos is mainly used for its SSO capabilities and exchanging credentials over an unsafe network, LDAP is famous for its extensive lookup abilities. While both can do user authentication, Kerberos is more preferred due to its powerful strategies and implementation.
With such different aims, many enterprises often choose to use LDAP and Kerberos in conjunction with each other. Once Kerberos authenticates and authorizes the user, LDAP can look up their data and see what level of authorization they are permitted.
- Different Levels of Complexity: Both protocols have varying levels of complexity within their internal workings. While considered safer and more robust, Kerberos is significantly more complex to configure and in its protocol than LDAP. However, Kerberos is still considered more convenient despite its complexity, while LDAP is regarded as more tedious due to some of its disadvantages.
With Kerberos and LDAP having different complexity levels, the final decision for an enterprise will also have to depend on their resources. An example of Kerberos’ complex but convenient working is this: once authenticated, a user is given a ticket of 10 hours so that the authentication server is not overwhelmed with any additional requests.
- Different Levels of Susceptibility To Misconfiguration: Owning to its more complex nature and rigid strategies, Kerberos is less open to misconfiguration than LDAP. For example, Kerberos denies sending passwords over the network in any case. However, you can configure LDAP to send credentials as simple text over the network, ready to intercept anyone snooping around.
However, an administrator can prevent such nature of LDAP by implementing an LDAPS protocol that intercepts and sends all traffic after encrypting it with SSL.
- Different Kinds of Disadvantages: The difference between Kerberos and LDAP extends to their respective disadvantages as well. On one hand, Kerberos provides SSO but requires constant availability of a Key Distribution Center for its workings. The KDC can serve as Kerberos’ singular point of failure. On the other hand, LDAP doesn’t support SSO and requires credentials every time, leading to more hassle.
Securing Your Networks With LDAP And Kerberos
Both Kerberos and LDAP can serve your authentication and lookup needs, respectively. However, it is essential to realize that both are essentially different protocols with different aims. The final decision to go with the former or latter depends on whether you are looking for the most robust user authentication and authorization available or powerful directory lookup capabilities.