[39247] in Kerberos
authenticate user via ldap bind
daemon@ATHENA.MIT.EDU (John Alex. via Kerberos)
Mon May 29 05:44:07 2023
Message-ID: <8734baf3-fb80-baad-01b6-b214907813b1@thenode.info>
Date: Mon, 29 May 2023 12:38:58 +0300
MIME-Version: 1.0
Content-Language: en-US
To: kerberos@mit.edu
From: "John Alex. via Kerberos" <kerberos@mit.edu>
Reply-To: alexjl2@thenode.info
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Hi list,
recently the need arose in our institution to setup a kerberos infrastructure so that
users can login on windows machines using their institutional credentials. From what I
remember though from a mit kdc deployment I did many years ago, I had to have the user
passwords in cleartext in order to create the kerberos principals.
In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our
services currently validate user credentials by attempting an LDAP bind either directly or
via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).
So my question is, is there a way to implement kerberos without knowledge of the plaintext
passwords, or do we have to somehow capture the credentials during users' login to other
services and then sync them to the kdc db?
Thanks,
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos