[39248] in Kerberos
Re: authenticate user via ldap bind
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon May 29 11:17:34 2023
From: Russ Allbery <eagle@eyrie.org>
To: "John Alex. via Kerberos" <kerberos@mit.edu>
In-Reply-To: <8734baf3-fb80-baad-01b6-b214907813b1@thenode.info> (John Alex.
via Kerberos's message of "Mon, 29 May 2023 12:38:58 +0300")
Date: Mon, 29 May 2023 08:12:40 -0700
Message-ID: <87a5xngoif.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"John Alex. via Kerberos" <kerberos@mit.edu> writes:
> In this instance, user passwords are stored in our LDAP server
> (OpenLDAP), hashed. All our services currently validate user credentials
> by attempting an LDAP bind either directly or via another protocol
> implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).
> So my question is, is there a way to implement kerberos without
> knowledge of the plaintext passwords, or do we have to somehow capture
> the credentials during users' login to other services and then sync them
> to the kdc db?
Unfortunately, although Kerberos also stores all of the passwords hashed,
the hashing algorithm used by Kerberos is almost certainly different than
the hashing algorithm used by LDAP. You therefore need the cleartext
password in order to create the KDC entry, since the point of hashing is
that it's not reversible. The only exception would be if somehow Kerberos
could be convinced to use the same hashing algorithm as LDAP, but I don't
think that's the case. (The client and the KDC have to agree on a hashing
algorithm, so this isn't a simple thing to do.)
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
