[39252] in Kerberos
Re: authenticate user via ldap bind
daemon@ATHENA.MIT.EDU (Charles Hedrick via Kerberos)
Fri Aug 18 16:49:42 2023
To: "kerberos@mit.edu" <kerberos@mit.edu>,
"alexjl2@thenode.info"
<alexjl2@thenode.info>
Date: Fri, 18 Aug 2023 20:44:45 +0000
Message-ID: <PH0PR14MB5493F9A45A9EF45663D16799AA1BA@PH0PR14MB5493.namprd14.prod.outlook.com>
In-Reply-To: <8734baf3-fb80-baad-01b6-b214907813b1@thenode.info>
Content-Language: en-US
MIME-Version: 1.0
From: Charles Hedrick via Kerberos <kerberos@mit.edu>
Reply-To: Charles Hedrick <hedrick@rutgers.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Freeipa (and presumably MIT kerberos) has the ability to delegate password checking to radius. This is intended to support two factor authentication, but it doesn't have to use two factors. So in principle you could use that and not have separate copies of the password in your kerberos. I've tested this but not used it in production. I wanted to be able (if necessary) to use our campus passwords for our users, so they don't need separate passwords in our departmental kerberos system.
At least in freeipa, the authentication technology used is a user attribute. So you could use native Kerberos, possibly with the native two factor support, for some users and pass the others to a radius server. You can also have more than one radius server, for different users.
________________________________
From: Kerberos <kerberos-bounces@mit.edu> on behalf of John Alex. via Kerberos <kerberos@mit.edu>
Sent: Monday, May 29, 2023 5:38 AM
To: kerberos@mit.edu <kerberos@mit.edu>
Subject: authenticate user via ldap bind
Hi list,
recently the need arose in our institution to setup a kerberos infrastructure so that
users can login on windows machines using their institutional credentials. From what I
remember though from a mit kdc deployment I did many years ago, I had to have the user
passwords in cleartext in order to create the kerberos principals.
In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our
services currently validate user credentials by attempting an LDAP bind either directly or
via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).
So my question is, is there a way to implement kerberos without knowledge of the plaintext
passwords, or do we have to somehow capture the credentials during users' login to other
services and then sync them to the kdc db?
Thanks,
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
