authenticate user via ldap bind

alexjl2 at thenode.info alexjl2 at thenode.info
Mon May 29 05:38:58 EDT 2023


Hi list,

recently the need arose in our institution to setup a kerberos infrastructure so that 
users can login on windows machines using their institutional credentials. From what I 
remember though from a mit kdc deployment I did many years ago, I had to have the user 
passwords in cleartext in order to create the kerberos principals.

In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our 
services currently validate user credentials by attempting an LDAP bind either directly or 
via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

So my question is, is there a way to implement kerberos without knowledge of the plaintext 
passwords, or do we have to somehow capture the credentials during users' login to other 
services and then sync them to the kdc db?

Thanks,
John


More information about the Kerberos mailing list