Kerberos + LDAP + RADIUS?

Richard E. Silverman res at
Thu Dec 11 00:46:28 EST 2008

>>>>> "MR" == Mathew Rowley <mathew_rowley at> writes:

    MR> We are re-architecting our whole authentication backend, and I am
    MR> having a hard time trying to understand how Kerberos, LDAP, and
    MR> RADIUS can all fit together.  We currently use RADIUS and LDAP to
    MR> do AAA, and group based security, but we are going to want to have
    MR> an SSO functionality (thus introducing kerberos).

    MR> I think I can see how Kerberos and LDAP fit together, with group
    MR> based security: A user will authenticate with Kerberos¹
    MR> authentication server, then attempt to be assigned a ticket with
    MR> the ticket granting server ­ the ticket granting server will query
    MR> LDAP to see if a user has access to the resource, based on the
    MR> groups that user is a part of.

Not quite -- Kerberos is purely authentication, not authorization.*
A ticket doesn't grant access to a resource; it identifies a client to the
server of that resource, so that the server can *make* that authorization
decision.  To do so, it might then in turn query LDAP to find out the
client's permissions/rights.

* At least traditionally -- though the ticket data structure does have an
  authorization field, which Microsoft uses to encode a user's rights
  (group memberships, etc.).

    MR> My problem is trying to figure out where RADIUS comes into the
    MR> mix.  It seems like there can be two options, but both seem to
    MR> have problems: 1. Have authentication point to Kerberos server
    MR> which will authenticate against radius : but this doesn¹t make
    MR> sense because when you authenticate against Kerberos, there is no
    MR> password passed from client to server, so how will Kerberos be
    MR> able to tell if that user/pass is accepted via Radius.  2. Have
    MR> authentication point to radius, and have it authenticate against
    MR> Kerberos : this defeats a whole security aspect of Kerberos ­ not
    MR> passing the users password to the server, and how is it possible
    MR> for the client to have the Kerberos ticket?

    MR> Maybe I am missing something, or maybe this is just not possible.
    MR> Any insight/tutorials/etc. would be helpful ­ there is not much on
    MR> this topic available.  Thanks.

    MR> -- MAT

  Richard Silverman
  res at

More information about the Kerberos mailing list