topic Re: Need help with this question in CISSP Study Group

Need help with this question

VibeCoder — Sun, 07 Sep 2025 15:07:09 GMT

I was unsure where to seek clarification regarding the explanation, so I decided to post my question here.

I selected LDAP and X.500 as my answers; however, it appears that all three options are considered correct. Could someone please clarify whether Kerberos is an example of an identity store?

Re: Need help with this question

ziembor — Sun, 07 Sep 2025 20:24:47 GMT

literary none of them are identity store (it could be "LDAP store" but only X.500, Kerberos or LDAP as is it's only protocol for query database (X.500 and LDAP) or authenticate, but it do not contain elements of identity.
It's hard to guess what autors of that question have in mind...

Re: Need help with this question

MurrayMartin — Mon, 08 Sep 2025 02:07:58 GMT

LDAP is x.500 based, and LDAP/AD uses Kerberos as its authentication engine. Conversely Kerberos uses a directory for its database.

I think the key here for this question is if we abstract the user identity to being just the Ticket Granting Ticket (Gold Ticket), Kerberos is a store for the relationship to the service tickets (Silver Ticket) effectively making it an Identity store in this context of the question.

Re: Need help with this question

JoePete — Mon, 08 Sep 2025 11:50:13 GMT

Not a great question.

I suppose the value in it is that it is asking you to identify common terms used in identity and access management, but these are three very different things.

X.500 is a superset of standards for directories and related certificates. Yes, you can have X.500-based things (services, certificates, applications, etc.) that store identity info, but to just call X.500 an "identity store" is a stretch.
LDAP could be thought of as a scaled-down version of X.500. It is, too, just a protocol (that's what the P stands for after all). While you have LDAP servers etc., it seems incorrect to just say LDAP means some actual identity store.
Kerberos is another protocol, used for network authentication. It basically serves as the linchpin among all these things on a network trying to interact. You have kerberos enabled devices all over and, and kerberos (specifically the key distribution center "KDC") acts like a third party they all trust. The KDC will talk to something like an LDAP server (or Active Directory) so it can authenticate a user/client and then tell some other device (via what's called a ticket) that the user/client was authenticated. A critical distinction about kerberos is that it doesn't provide authorization (that's up to the other devices or some other middleware).

I'm not sure the exam you are studying for, but two things:

Test prep questions aren't written by test writers typically. Especially with the ISC2 exams, there's a separation between test developers and even the official ISC2 instructional content. If you end up with a question that is confusing to you, more than likely it was written by someone who didn't fully understand the content. Just move on.
Don't rely on question taking/apps to learn content. This is a generational thing, but people think, "I can learn content based on the feedback of questions I answer right and wrong." That doesn't work well with security. Focus on trying to gain experience with the stuff that you don't understand. Hands-on work teaches better than anything, but short of that, read an in-depth explanation of these technologies, not just an AI summary. This way, when you encounter challenging questions, you'll be in a much better position to know them out.

Re: Need help with this question

helenpizzie — Mon, 08 Sep 2025 18:48:02 GMT

Hopefully this might help:

An identify store is a generic concept — it is essentialy a repository (database, directory, or service) where digital identities (users, groups, devices, service accounts, etc.) are stored and managed. For example- Active Directory (Microsoft), Azure AD / Entra ID, Okta, Ping, Auth or a simple SQL user table in an app.

X.500 is an international standard created in 1980s used for electronic digital services used like a corporate phone book and LDAP is a light weight version of X.500 created in 1990s so that it could use TCPIP.

Re: Need help with this question

viralJosee — Mon, 27 Oct 2025 17:06:25 GMT

Hey @VibeCoder

This question a bit confusing. actually Kerberos is protocol which use identity store to authenticate. But here they are referring that it contains authentication data.