No announcement yet.

Authentication process in Active directory ... ldap or kerberos

  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication process in Active directory ... ldap or kerberos


    I am not new to Active Directory, but nor an expert, and I was studying in detail the authentication process in AD. All the links talk about "Kerberos", and I have read a lot about it today but : Does not LDAP participate in the authentication process?.

    The LDAP within Active directory is an idea a bit harder to grasp for me.

    Thanks in advance!
    Madrid (Spain).

  • #2
    Re: Authentication process in Active directory ... ldap or kerberos

    LDAP is LightWeight Directory Access Protocol. It's a method of accessing the data in the directory.

    Kerberos is a security mechanism that allows you to access the data..Kerberos is used to authenticate both the client and the server, so they may communicate over an otherwise insecure network..

    post by Bryan, with score 16 might be helpful.

    every time you need to access a resource, your credentials need to be validated against the Directory. Kerberos does that by using Tickets which are granted at logon, rather than continually sending password details..

    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Authentication process in Active directory ... ldap or kerberos

      Thank TehCamel.

      Yes, I have read those links before posting. I usually do so before asking a question. There is so much information out there.

      What I didn't find is how LDAP takes part in the authentication process, and I guess it does not take part, but when I monitor my workstation logging into the domain, I see ldap traffic , 389 TCP.

      Maybe LDAP just makes searchs of any object in Active Directory?

      Sorry if it is too basic a question but: What is the function of an LDAP server such as a Domain controller in Active Directoy? It "only" stores all the objects in Active directory and the clients make searchs ?
      Madrid (Spain).


      • #4
        Re: Authentication process in Active directory ... ldap or kerberos

        hmmm... i'll take a stab at it.

        im just going to throw out some points that may help to clarify LDAP's role in AD.

        LDAP is based off the 'x.500 DAP' model. if you know how an LDAP system works, then you know that LDAP was designed for both reading and writing, but has really been optimized to read...

        this is because an LDAP system doesnt operate like an AD environment. in an LDAP network, there is usually one 'master' server that hosts the writable directory, and any additional servers operate on a copy pulled (or pushed) from the master. keep in mind that LDAP is a protocol and not a database, therefore there is no 'rolling-back' changes made to the directory because there is no 'transaction log'...

        being that there is no real standard or method for replicating these changes across a system, LDAP has limitations. the idea of replicating was something that admins had to treat separately and couldnt really be managed natively from within LDAP.

        in order for LDAP to remain backwards compatible, LDAP utilizes 'controls', which allows for extensions to be added without making changes to the protocol itself. now, one thing kinda weird (for protocols anyways) is that LDAP has an API defined in RFC 1823. this is what really helped LDAP catch on and gave it such a wide range of uses...

        (now we can start tying in AD)

        these controls are usually defined thru a rigorous RFC process so that it works across the industry in a standardized fashion... well, some people couldnt wait for the RFC, nor did they want to share their 'custom' controls: think Micro$oft. they created their own controls for LDAP that managed things like replication and multiple operation masters in the same network...

        ADSI uses LDAP to access and make changes to the directory. in addition, anytime someone searches for any type of AD object, that query is passed using LDAP and the results are sent back and interpreted by the client w/LDAP.

        This was a huge advantage over having an NTdomain. an NT domain had to use the win32 API, therefore it was only useful on computers that were running windows. on the other hand, AD domains utilize the LDAP protocol, meaning that they can 'communicate' with anything that talks LDAP... unix, linux, OSX, etc. actually, i need to be clear, AD is LDAP/x.500DAP COMPLIANT, but is not entirely LDAP.

        i think i have rambled enough about LDAP now. i hope it helped you understand how AD and LDAP are linked and how they differ. its probably more than you were asking, but its important to understand it imo.
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...