Freeradius kerberos

John Dennis jdennis at
Thu Jul 8 15:56:42 CEST 2010

On 07/07/2010 06:21 PM, Thiago Gonzaga B. Galvão wrote:
> Hi guys,
> I have the following situation on my network...
> I have an Openldap server working as well, and it stores all my users
> informations...
> I configure a Kerberos server to use this openldap as a backend...
> We would like to implement an Single Sign On to our "web intranet" using
> kerberos tickets...
> The user will authenticates onto a freeradius server, it will refer to
> external source kerberos, and kerberos will be configured with openldap
> backend (the openldap server that i have).
> Is it possible??? Instead of freeradius directly authenticates to ldap,
> it would pass by kerberos, and kerberos communicates with openldap... if
> userame/passwork ok, the user will be authenticated and receive a
> kerberos's ticket...

That's not how Kerberos works. What FreeRADIUS can do is obtain a TGT 
(ticket granting ticket) on behalf of the user using the supplied 
password. If the TGT request succeeds FreeRADIUS considers that a 
successful authentication. The problem is the TGT, which is *necessary* 
for single signon (software on behalf of the user supplies the TGT when 
necessary) is not available because it's not returned in the radius 
protocol. The TGT obtained by FreeRADIUS on behalf of the user is 
effectively thrown away and is not available for further use.

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list