Kerberos is an authentication and key-distribution protocol. It allows peers such as clients and servers (called “security principals”) to prove their identities to one another, as well as to secure subsequent communication between them. It requires authentication servers called “Key Distribution Centers,” or KDCs, to be available over the network in order for authentication to take place, though not every member always needs access to a KDC for every operation (e.g. a server does not need to contact a KDC, but the client does), and credentials are normally cached so that fewer network round trips are required. The caching mechanism provides single-signon in a way which is more secure than caching your password, since the cached credentials expire after some time and cannot be used to change your password. It also has a built-in notion of federation between Kerberos security domains, called “realms.” One of the big practical benefits of Kerberos is that it is the most pervasively implemented and available system of its kind: it is usable in a variety of protocols via abstraction schemes like SASL and GSSAPI, and these are widely implemented on many platforms, including Unix and Windows. Popular clients and servers for diverse protocols and applications including IMAP, POP, SMTP, SSH, LDAP, Subversion, NFS, HTTP, etc. support Kerberos and can be secured (to varying degrees) with a single infrastructure.
RADIUS provides for authentication, authorization, and accounting (“AAA”) in a single protocol. It is mostly used by network devices such as routers, switches, VPN gateways, WiFi access points, etc. to provide authentication for administrative access as well as for users, and then also to provide authorization (what users are allowed to do) and accounting (logging of actions). Authentication happens via a variety of independent mechanisms tunneled over RADIUS, such as EAP, PEAP, and MS-CHAP.
LDAP is a directory-access protocol: an LDAP server stores information about nodes named via X.500 “distinguished names,” the same as you see in X.509 public-key certificates, e.g. “CN=Richard E. Silverman, ST=NY, O=My Company”. Nodes have attributes, and LDAP clients query the server for the attributes of given nodes in a variety of ways, including searches of whole subtrees of the node namespace, pattern matching, and filters indicating which attributes should be returned.
There is often some confusion about LDAP being an “authentication protocol,” which is not its primary purpose. This is because many systems which need to verify a username/password pair offer “LDAP authentication” as a way of doing it. What this means is that the system will contact an LDAP server, authenticate to it with the supplied username and password, and then just disconnect without issuing an LDAP directory query. Thus, it uses the security of LDAP as a password-verification service. It is the same as if it used SSH to log into a given host, and then just immediately logged out, using the success or failure of the login to validate the user’s password.
“Active Directory” is a Microsoft marketing, product, and technical term. It does not refer to a single protocol like the terms above; rather, it names an overarching system comprising several protocols (including Kerberos, LDAP, and DNS), implemented by the “domain controllers,” which provides comprehensive security, naming, and management services to a collection of Windows hosts.
