The disadvantages of using LDAP authentication against Active Directory compared with JAAS/Kerberos are:
- the simplest approach is to use the SIMPLE LDAP authentication protocol, which should be used with SSL
- AD requires special set up to use digest MD5 authentication (reversible encryption for passwords), which might be difficult retrospectively
- LDAP can use GSSAPI and Kerberos which would be equivalent but this is more difficult to configure and has not been tested
- Use the external authentication subsystem on Alfresco and set up the proxy to implement kerberos
- Set up the kerberos authentication subsystem on Alfresco and create the Service Principal Name (SPN) in Active Directory to include the proxy DNS name. With this option, the load balancer relays the negotiate headers to the Alfresco repository, but the client sees the proxy as a DNS name. You must set Active Directory to allow this by creating the SPN for the proxy.
For some scenarios on using Kerberos with a proxy, see Load Balancers and Kerberos.
For some pointers and background information on JAAS, the Java Authentication and Authorization Service, refer to the following web sites: