Kerberos vs. LDAP for authentication -- which one is more secure

Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment?

LDAP authentication is centralized authentication, meaning you have to login with every service, but if you change your password it changes everywhere.

Kerberos is single sign-on (SSO), meaning you login once and get a token and don't need to login to other services.

There's a trade-off: LDAP is less convenient but simpler. Kerberos is more convenient but more complex. Secure things are simple and convenient.

There's no right answer. If you need SSO use Kerberos. Else LDAP. You could also consider YP/NIS (over IPSEC) for centralized authn.

The fact that the OpenBSD security hawks dropped Kerberos but make their own LDAP server might tell you something...

Can we switch between them transparently?

No, you cannot. Well, maybe you can with PAM. But your users will notice


Where possible use Kerberos authentication above all else. It was built for providing authentication/authorization and is the most secure option. The whole premise is to exchange credentials in an environment that isn't trusted.

LDAP can be easily misconfigured to send credentials in clear text over the network. An easy way to prevent this is always use LDAPS (TCP636) as it encapsulates all traffic in SSL. LDAP is often used for adhoc authentication/authorization especially web applications using forms authentication.