Using KERBEROS to Harden the Active Directory System (LDAP) in a Domain Used to Support Grid/Clustering Activity

摘要

The advent of distributed processing and global information systems has driven the need for fast, efficient and secure global authentication systems. Typically distributed processing implies that any given application will require computing resources from multiple computing nodes, and hence for the sake of convenience will require single sign-on capability for the end-user. The user database to support this global authentication process, because it encompasses all hosts in a domain is a prime attack target and requires substantial resources if it is to be adequately protected. To illustrate these concepts a case study was used in which the characteristics of a computing domain were described in detail and the conversion process of this domain from a simple NIS global authentication system to an extremely robust LDAP/Kerberos system was discussed. It was determined that the added complexity and extra work required to implement the LDAP/Kerberos system was well worthwhile due to the vast increase in robustness and scalability observed. Further, this task was carried out at the same time the production hosts were converted from individual physical hosts to virtual machines to provide a "greener" computing environment. Even though this conversion added to the workload the fact that both processes were starting from scratch made it easy to coordinate the needed linkages between the two.