Few computing concepts are as ubiquitous as identity and access management. There isn’t a single day that goes by without us being asked for credentials, passwords or pin codes. Yet very few know the origins and the evolution of the technologies behind them.
This is the first of two blog posts (part 2 available here) where we will look at the history of open-source identity management. We will cover the main open-source protocols and standards that shaped it, from its origins to the modern days. This post will focus on the origins and the two major “legacy” protocols: Kerberos and LDAP.
The origins of open source identity management
Authentication has been a key part of computer security for a very long time. It originated in 1961 with the MIT compatible time-sharing system (CTSS) as a way of solving the problem of governing who has access to what resources.
The MIT computer at the time, the IBM 709, had a finite amount of resources and as a result, operators were asked to log in with credentials that would grant them a set of limits or resources on how much CPU time and memory that operator could use. Since then, this idea of governing access to resources is still the main reason why we have authentication.
In the following years, identity became the fundamental concept underpinning all of system security. While there were many attempts to standardise the way we authenticate to computer systems, LDAP and Kerberos were the ones that gained the most traction.
Kerberos was a Massachusetts Institute of Technology (MIT) internal project, initially aimed at protecting network services provided by Project Athena. Kerberos was officially released to the public in the late 1980s and revised multiple times, with the current iteration (version 5) dating back to 1993.
Kerberos preceded SSL/TLS and it was introduced as a way to authenticate users over an insecure network where traffic was actively being intercepted. In doing so, it solved a common problem: cryptographic operations were expensive on CPUs back in the ’90s and early 2000s, making TLS for all connections unfeasible.
Kerberos is a system that allows authentication without ever transmitting the password over the network thanks to the use of a series of ticket exchanges. Later on, Kerberos could install encryption layers similar to what TLS does today, transforming Kerberos into a protocol able to provide a root of trust.
LDAP was launched in 1997 as a successor to the directory access protocol, which is part of the X500 standards. These were created by the International Telecom Union and included concepts we still use today, like x.509 certificates (which were initially intended to be the default directory authentication artefact).
LDAP is a binary protocol similar to SQL and HTTP that allows access to a directory database, which is comparable to a phone book. This phone book or directory contains a set of users nested in groups, and it allows a connected computer to query and organise that information. As a side effect of the way LDAP works, it is also possible to check user passwords that are associated with their accounts.
The data in these directories is not structured the same way as a table in SQL. Rather, it is much closer to JSON, with objects (or entries) containing a series of key-value pairs. The list of which key-value pairs can exist is defined by a construct called a “schema.”
In addition, these entries can be nested and structured into a tree, allowing hierarchical organisation searching capabilities, which enables many vital querying and structural elements.
The most famous open-source LDAP implementation is OpenLDAP, which was released in 1998 by Kurt Zeilenga. It used most of the source code from the original LDAP project developed by the University of Michigan in 1996.
You can learn how to integrate Ubuntu with LDAP and Kerberos by downloading the following whitepaper:
Rise and decline in popularity
When introduced, these protocols brought a series of advantages that fueled their adoption:
- Performance and availability
A lot of work was done to active active consistent replication – this means you can have a very wide geographic distribution.
The LDAP schema was designed to be extended to meet disparate business needs by adding extra attributes.
It’s very rare to find a system that doesn’t have an LDAP authentication plugin.
For a relatively long time, authentication was considered a “solved” problem. However, as the landscape of computing evolved with the rise in popularity of mobile phones and APIs, so did the requirements around authentication and authorization.
LDAP and Kerberos were unable to meet the new identity and access management needs because they are:
- Primarily written in C
The open-source implementations of these protocols are primarily written in C, and this opens them up to many CVEs and memory safety issues (70% of Microsoft security issues comes from memory safety issues).
The security concerns created extra barriers and complexity to the introduction of new features and web-friendly enhancements.
- Complicated to administer
LDAP and Kerberos offered relatively poor developer experiences, resulting in increasingly lower adoption from developers and IT professionals.
- Password only
With phishing attacks rising year by year, relying on passwords alone is a very insecure way of performing authentication. The TOTP standard was only integrated at the end of 2011.
Many modern applications and operating systems still use both LDAP and Kerberos (including Ubuntu). However, their popularity is slowly decreasing in favour of modern, web/mobile-friendly protocols.
In the next article, we will look at more modern standards like OAuth, OpenID and FIDO.