Hi, On Sun, Jun 14, 2015 at 8:13 PM, brendan kearney <bpk678@gmail.com> wrote:
On Jun 14, 2015 12:31 PM, "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> wrote:
Maybe, if other people want that, could they speak up now? Or are other
people wanting the same type of authentication as the OP described?
Speaking up...
While I would like the ability to have radius authenticate to ldap via kerberos ticketing / keytab / gssapi / sasl, my scenario would differ in that I am only using ldap for AuthZ. AuthN is handled by my kerberos instances.
If I got Arran's comment correctly then setting KRB5_CLIENT_KTNAME could work for that (KRB5_KTNAME is for acceptors, not initiators AFAI understand: http://web.mit.edu/kerberos/krb5-1.13/doc/basic/keytab_def.html). Or you are concern it might impact on the AuthN modules? I haven't tested or actually looked at the code just thinking outloud.
I see application of keytab usage also benefiting interactions with AD.
Maybe its just me, but I see the use of a keytab as "more secure" or maybe "less insecure" than having a password in a config file. Granted file permissions and the use of a "throw away ID" are best practices for this kind of setup, I still would favor the keytab use in addition to those steps.
Well, keytab contains the key[s] (which may have been derived from user's secret) so AFAI understand they are password equivalent. Regards, Isaac B.