[30518] in Kerberos
Re: Kerberos + LDAP + RADIUS?
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Thu Dec 11 13:03:57 2008
From: "Richard E. Silverman" <res@qoxp.net>
Date: Thu, 11 Dec 2008 00:46:28 -0500
Message-ID: <m2zlj3462z.fsf@darwin.oankali.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>>>>> "MR" == Mathew Rowley <mathew_rowley@cable.comcast.com> writes:
MR> We are re-architecting our whole authentication backend, and I am MR> having a hard time trying to understand how Kerberos, LDAP, and MR> RADIUS can all fit together. We currently use RADIUS and LDAP to MR> do AAA, and group based security, but we are going to want to have MR> an SSO functionality (thus introducing kerberos).
MR> I think I can see how Kerberos and LDAP fit together, with group MR> based security: A user will authenticate with Kerberos¹ MR> authentication server, then attempt to be assigned a ticket with MR> the ticket granting server the ticket granting server will query MR> LDAP to see if a user has access to the resource, based on the MR> groups that user is a part of.
Not quite -- Kerberos is purely authentication, not authorization.*A ticket doesn't grant access to a resource; it identifies a client to theserver of that resource, so that the server can *make* that authorizationdecision. To do so, it might then in turn query LDAP to find out theclient's permissions/rights.
* At least traditionally -- though the ticket data structure does have an authorization field, which Microsoft uses to encode a user's rights (group memberships, etc.).
MR> My problem is trying to figure out where RADIUS comes into the MR> mix. It seems like there can be two options, but both seem to MR> have problems: 1. Have authentication point to Kerberos server MR> which will authenticate against radius : but this doesn¹t make MR> sense because when you authenticate against Kerberos, there is no MR> password passed from client to server, so how will Kerberos be MR> able to tell if that user/pass is accepted via Radius. 2. Have MR> authentication point to radius, and have it authenticate against MR> Kerberos : this defeats a whole security aspect of Kerberos not MR> passing the users password to the server, and how is it possible MR> for the client to have the Kerberos ticket?
MR> Maybe I am missing something, or maybe this is just not possible. MR> Any insight/tutorials/etc. would be helpful there is not much on MR> this topic available. Thanks.
MR> -- MAT
-- Richard Silverman res@qoxp.net
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
