Kerberos + LDAP + RADIUS?
Richard E. Silverman
res at qoxp.net
Thu Dec 11 00:46:28 EST 2008
>>>>> "MR" == Mathew Rowley <mathew_rowley at cable.comcast.com> writes:
MR> We are re-architecting our whole authentication backend, and I am
MR> having a hard time trying to understand how Kerberos, LDAP, and
MR> RADIUS can all fit together. We currently use RADIUS and LDAP to
MR> do AAA, and group based security, but we are going to want to have
MR> an SSO functionality (thus introducing kerberos).
MR> I think I can see how Kerberos and LDAP fit together, with group
MR> based security: A user will authenticate with Kerberos¹
MR> authentication server, then attempt to be assigned a ticket with
MR> the ticket granting server the ticket granting server will query
MR> LDAP to see if a user has access to the resource, based on the
MR> groups that user is a part of.
Not quite -- Kerberos is purely authentication, not authorization.*
A ticket doesn't grant access to a resource; it identifies a client to the
server of that resource, so that the server can *make* that authorization
decision. To do so, it might then in turn query LDAP to find out the
client's permissions/rights.
* At least traditionally -- though the ticket data structure does have an
authorization field, which Microsoft uses to encode a user's rights
(group memberships, etc.).
MR> My problem is trying to figure out where RADIUS comes into the
MR> mix. It seems like there can be two options, but both seem to
MR> have problems: 1. Have authentication point to Kerberos server
MR> which will authenticate against radius : but this doesn¹t make
MR> sense because when you authenticate against Kerberos, there is no
MR> password passed from client to server, so how will Kerberos be
MR> able to tell if that user/pass is accepted via Radius. 2. Have
MR> authentication point to radius, and have it authenticate against
MR> Kerberos : this defeats a whole security aspect of Kerberos not
MR> passing the users password to the server, and how is it possible
MR> for the client to have the Kerberos ticket?
MR> Maybe I am missing something, or maybe this is just not possible.
MR> Any insight/tutorials/etc. would be helpful there is not much on
MR> this topic available. Thanks.
MR> -- MAT
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list