The Java Authentication and Authorization Service
(JAAS) is used within the Kerberos subsystem to support Kerberos
authentication of user names and passwords. You may choose to use Kerberos
against an Active Directory server in preference to LDAP or NTLM as it
provides strong encryption without using SSL. It would still be possible to
export user registry information using a chained LDAP subsystem.
The disadvantages of using LDAP authentication against Active Directory compared with JAAS/Kerberos are:
- the simplest approach is to use the SIMPLE LDAP authentication protocol, which should be used with SSL
- AD requires special set up to use digest MD5 authentication (reversible encryption for passwords), which may be difficult retrospectively
- LDAP can use GSSAPI and Kerberos which would be equivalent but this is more difficult to configure and has not been tested
For some pointers and background information on JAAS, the Java Authentication and Authorization Service, refer to the following web sites: