Good Morning All; I am looking for direction into correcting an issue with FR 2.X authenticating against a Krb5 directory with Hardware Pre-Auth enabled. Currently I am not finding any luck in getting this off the ground. Thank you Larry Ross Network Operations University California Davis http://www-noc.ucdavis.edu lfross@ucdavis.edu<mailto:lfross@ucdavis.edu>
On 08/20/2009 01:05 PM, Larry Ross wrote:
Good Morning All;
I am looking for direction into correcting an issue with FR 2.X authenticating against a Krb5 directory with Hardware Pre-Auth enabled. Currently I am not finding any luck in getting this off the ground.
I don't know what Hardware Pre-Auth is, I presume you mean Kerberos Pre-Authentication. I also don't know what a Krb5 directory is, I presume you mean binding to a LDAP directory using Kerberos and not performing Kerberos authentication against a KDC. In the future please try to use the correct terminology so we don't have to guess how to help you. The rlm_ldap module can only do simple binds with a password. If you want to perform a LDAP bind with Kerberos the rlm_ldap would have to use SASL with the GSSAPI mechanism. I have a patch which does this (but it's against the old 1.x rlm_ldap). If you mean Kerberos authentication against a KDC you're also out of luck, rlm_krb5 does not provide Kerberos pre-authentication data nor does it respond to the KDC_ERR_PREAUTH_REQUIRED message. Patches welcome. You may have better luck disabling pre-authenication. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (2)
-
John Dennis -
Larry Ross