<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:10pt">So, <span id="result_box" class="short_text"><span style="" title="">anyone have any ideas</span></span> <span id="result_box" class="short_text"><span style="" title="">how to get the TGT to make de single sign-on that I want?</span></span><div> <br></div>thiago<br><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">De:</span></b> John Dennis <jdennis@redhat.com><br><b><span style="font-weight: bold;">Para:</span></b> FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br><b><span style="font-weight: bold;">Cc:</span></b> Thiago Gonzaga B. Galvão <thiagobandinha@yahoo.com.br><br><b><span
style="font-weight: bold;">Enviadas:</span></b> Quinta-feira, 8 de Julho de 2010 10:56:42<br><b><span style="font-weight: bold;">Assunto:</span></b> Re: Freeradius kerberos<br></font><br>On 07/07/2010 06:21 PM, Thiago Gonzaga B. Galvão wrote:<br>> Hi guys,<br>> <br>> I have the following situation on my network...<br>> <br>> I have an Openldap server working as well, and it stores all my users<br>> informations...<br>> <br>> I configure a Kerberos server to use this openldap as a backend...<br>> <br>> We would like to implement an Single Sign On to our "web intranet" using<br>> kerberos tickets...<br>> <br>> The user will authenticates onto a freeradius server, it will refer to<br>> external source kerberos, and kerberos will be configured with openldap<br>> backend (the openldap server that i have).<br>> <br>> Is it possible??? Instead of freeradius directly authenticates to ldap,<br>> it would
pass by kerberos, and kerberos communicates with openldap... if<br>> userame/passwork ok, the user will be authenticated and receive a<br>> kerberos's ticket...<br><br>That's not how Kerberos works. What FreeRADIUS can do is obtain a TGT (ticket granting ticket) on behalf of the user using the supplied password. If the TGT request succeeds FreeRADIUS considers that a successful authentication. The problem is the TGT, which is *necessary* for single signon (software on behalf of the user supplies the TGT when necessary) is not available because it's not returned in the radius protocol. The TGT obtained by FreeRADIUS on behalf of the user is effectively thrown away and is not available for further use.<br><br>-- John Dennis <<a ymailto="mailto:jdennis@redhat.com" href="mailto:jdennis@redhat.com">jdennis@redhat.com</a>><br><br>Looking to carve out IT costs?<br><span><a target="_blank"
href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a></span><br></div></div>
</div><br>
</body></html>