On Jun 14, 2015 12:31 PM, "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> wrote:
Maybe, if other people want that, could they speak up now? Or are other
people wanting the same type of authentication as the OP described?
Speaking up... While I would like the ability to have radius authenticate to ldap via kerberos ticketing / keytab / gssapi / sasl, my scenario would differ in that I am only using ldap for AuthZ. AuthN is handled by my kerberos instances. I see application of keytab usage also benefiting interactions with AD. Maybe its just me, but I see the use of a keytab as "more secure" or maybe "less insecure" than having a password in a config file. Granted file permissions and the use of a "throw away ID" are best practices for this kind of setup, I still would favor the keytab use in addition to those steps.