1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • authenticate user via ldap bind

    From [email protected]@21:1/5 to All on Mon May 29 12:38:58 2023
    Hi list,

    recently the need arose in our institution to setup a kerberos infrastructure so that
    users can login on windows machines using their institutional credentials. From what I
    remember though from a mit kdc deployment I did many years ago, I had to have the user
    passwords in cleartext in order to create the kerberos principals.

    In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our
    services currently validate user credentials by attempting an LDAP bind either directly or
    via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

    So my question is, is there a way to implement kerberos without knowledge of the plaintext
    passwords, or do we have to somehow capture the credentials during users' login to other
    services and then sync them to the kdc db?

    Thanks,
    John

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to John Alex. via Kerberos on Mon May 29 08:12:40 2023
    "John Alex. via Kerberos" <[email protected]> writes:

    In this instance, user passwords are stored in our LDAP server
    (OpenLDAP), hashed. All our services currently validate user credentials
    by attempting an LDAP bind either directly or via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

    So my question is, is there a way to implement kerberos without
    knowledge of the plaintext passwords, or do we have to somehow capture
    the credentials during users' login to other services and then sync them
    to the kdc db?

    Unfortunately, although Kerberos also stores all of the passwords hashed,
    the hashing algorithm used by Kerberos is almost certainly different than
    the hashing algorithm used by LDAP. You therefore need the cleartext
    password in order to create the KDC entry, since the point of hashing is
    that it's not reversible. The only exception would be if somehow Kerberos could be convinced to use the same hashing algorithm as LDAP, but I don't
    think that's the case. (The client and the KDC have to agree on a hashing algorithm, so this isn't a simple thing to do.)

    --
    Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Charles Hedrick@21:1/5 to All on Fri Aug 18 20:44:45 2023
    To: [email protected] ([email protected])

    Freeipa (and presumably MIT kerberos) has the ability to delegate password checking to radius. This is intended to support two factor authentication, but it doesn't have to use two factors. So in principle you could use that and not have separate copies
    of the password in your kerberos. I've tested this but not used it in production. I wanted to be able (if necessary) to use our campus passwords for our users, so they don't need separate passwords in our departmental kerberos system.

    At least in freeipa, the authentication technology used is a user attribute. So you could use native Kerberos, possibly with the native two factor support, for some users and pass the others to a radius server. You can also have more than one radius
    server, for different users.

    ________________________________
    From: Kerberos <[email protected]> on behalf of John Alex. via Kerberos <[email protected]>
    Sent: Monday, May 29, 2023 5:38 AM
    To: [email protected] <[email protected]>
    Subject: authenticate user via ldap bind

    Hi list,

    recently the need arose in our institution to setup a kerberos infrastructure so that
    users can login on windows machines using their institutional credentials. >From what I
    remember though from a mit kdc deployment I did many years ago, I had to have the user
    passwords in cleartext in order to create the kerberos principals.

    In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our
    services currently validate user credentials by attempting an LDAP bind either directly or
    via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

    So my question is, is there a way to implement kerberos without knowledge of the plaintext
    passwords, or do we have to somehow capture the credentials during users' login to other
    services and then sync them to the kdc db?

    Thanks,
    John
    ________________________________________________
    Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)