authenticate user via ldap bind

Charles Hedrick hedrick at rutgers.edu
Fri Aug 18 16:44:45 EDT 2023 

Freeipa (and presumably MIT kerberos) has the ability to delegate password checking to radius. This is intended to support two factor authentication, but it doesn't have to use two factors. So in principle you could use that and not have separate copies of the password in your kerberos. I've tested this but not used it in production. I wanted to be able (if necessary) to use our campus passwords for our users, so they don't need separate passwords in our departmental kerberos system.

At least in freeipa, the authentication technology used is a user attribute. So you could use native Kerberos, possibly with the native two factor support, for some users and pass the others to a radius server. You can also have more than one radius server, for different users.

________________________________
From: Kerberos <kerberos-bounces at mit.edu> on behalf of John Alex. via Kerberos <kerberos at mit.edu>
Sent: Monday, May 29, 2023 5:38 AM
To: kerberos at mit.edu <kerberos at mit.edu>
Subject: authenticate user via ldap bind

Hi list,

recently the need arose in our institution to setup a kerberos infrastructure so that
users can login on windows machines using their institutional credentials. >From what I
remember though from a mit kdc deployment I did many years ago, I had to have the user
passwords in cleartext in order to create the kerberos principals.

In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our
services currently validate user credentials by attempting an LDAP bind either directly or
via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

So my question is, is there a way to implement kerberos without knowledge of the plaintext
passwords, or do we have to somehow capture the credentials during users' login to other
services and then sync them to the kdc db?

Thanks,
John
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list