Hi guys, I have the following situation on my network... I have an Openldap server working as well, and it stores all my users informations... I configure a Kerberos server to use this openldap as a backend... We would like to implement an Single Sign On to our "web intranet" using kerberos tickets... The user will authenticates onto a freeradius server, it will refer to external source kerberos, and kerberos will be configured with openldap backend (the openldap server that i have). Is it possible??? Instead of freeradius directly authenticates to ldap, it would pass by kerberos, and kerberos communicates with openldap... if userame/passwork ok, the user will be authenticated and receive a kerberos's ticket... And my clients are mostly windows... Is it possible with this scenario that I want, windows clients get kerberos tickets to make a Single Sign On, on my web intranet? Regards, Thiago
Thiago Gonzaga B. Galvão wrote:
The user will authenticates onto a freeradius server, it will refer to external source kerberos, and kerberos will be configured with openldap backend (the openldap server that i have).
Is it possible??? Instead of freeradius directly authenticates to ldap, it would pass by kerberos, and kerberos communicates with openldap... if userame/passwork ok, the user will be authenticated and receive a kerberos's ticket...
The user *cannot* receive a kerberos ticket via RADIUS. That is simply not possible. They will need to use normal username/password authentication only. Alan DeKok.
On 07/07/2010 06:21 PM, Thiago Gonzaga B. Galvão wrote:
Hi guys,
I have the following situation on my network...
I have an Openldap server working as well, and it stores all my users informations...
I configure a Kerberos server to use this openldap as a backend...
We would like to implement an Single Sign On to our "web intranet" using kerberos tickets...
The user will authenticates onto a freeradius server, it will refer to external source kerberos, and kerberos will be configured with openldap backend (the openldap server that i have).
Is it possible??? Instead of freeradius directly authenticates to ldap, it would pass by kerberos, and kerberos communicates with openldap... if userame/passwork ok, the user will be authenticated and receive a kerberos's ticket...
That's not how Kerberos works. What FreeRADIUS can do is obtain a TGT (ticket granting ticket) on behalf of the user using the supplied password. If the TGT request succeeds FreeRADIUS considers that a successful authentication. The problem is the TGT, which is *necessary* for single signon (software on behalf of the user supplies the TGT when necessary) is not available because it's not returned in the radius protocol. The TGT obtained by FreeRADIUS on behalf of the user is effectively thrown away and is not available for further use. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
So, anyone have any ideas how to get the TGT to make de single sign-on that I want? thiago ________________________________ De: John Dennis <jdennis@redhat.com> Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Thiago Gonzaga B. Galvão <thiagobandinha@yahoo.com.br> Enviadas: Quinta-feira, 8 de Julho de 2010 10:56:42 Assunto: Re: Freeradius kerberos On 07/07/2010 06:21 PM, Thiago Gonzaga B. Galvão wrote:
Hi guys,
I have the following situation on my network...
I have an Openldap server working as well, and it stores all my users informations...
I configure a Kerberos server to use this openldap as a backend...
We would like to implement an Single Sign On to our "web intranet" using kerberos tickets...
The user will authenticates onto a freeradius server, it will refer to external source kerberos, and kerberos will be configured with openldap backend (the openldap server that i have).
Is it possible??? Instead of freeradius directly authenticates to ldap, it would pass by kerberos, and kerberos communicates with openldap... if userame/passwork ok, the user will be authenticated and receive a kerberos's ticket...
That's not how Kerberos works. What FreeRADIUS can do is obtain a TGT (ticket granting ticket) on behalf of the user using the supplied password. If the TGT request succeeds FreeRADIUS considers that a successful authentication. The problem is the TGT, which is *necessary* for single signon (software on behalf of the user supplies the TGT when necessary) is not available because it's not returned in the radius protocol. The TGT obtained by FreeRADIUS on behalf of the user is effectively thrown away and is not available for further use. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On Fri, Jul 09, 2010 at 07:17:30AM -0700, Thiago Gonzaga B. Galv?o wrote:
So, anyone have any ideas how to get the TGT to make de single sign-on that I want?
Authenticate using something that actually returns a TGT, instead of going through RADIUS? For web pages there are already a handful of packages that do this, look for WebAuth, Pubcookie or Cosign. -- Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/
Hello Thomas, You said me to use something that actually returns a TGT, instead of going through RADIUS... And you quoted WebAuth, Pubcookie or Cosign... But when I use one of them, they will return me really a krbtgt(TGT Kerberos) or a cookie? regards thiago ________________________________ De: Thomas Kula <kula@tproa.net> Para: freeradius-users@lists.freeradius.org Enviadas: Sexta-feira, 9 de Julho de 2010 11:25:39 Assunto: Re: Res: Freeradius kerberos On Fri, Jul 09, 2010 at 07:17:30AM -0700, Thiago Gonzaga B. Galv?o wrote:
So, anyone have any ideas how to get the TGT to make de single sign-on that I want?
Authenticate using something that actually returns a TGT, instead of going through RADIUS? For web pages there are already a handful of packages that do this, look for WebAuth, Pubcookie or Cosign. -- Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07/14/2010 04:16 PM, Thiago Gonzaga B. Galvão wrote:
Hello Thomas, You said me to use something that actually returns a TGT, instead of going through RADIUS... And you quoted WebAuth, Pubcookie or Cosign... But when I use one of them, they will return me really a krbtgt(TGT Kerberos) or a cookie?
As has been suggested earlier you need to take this discussion elsewhere. Radius does not provide single signon thus discussions of how to deploy a single signon solution are off-topic. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
I'm sorry john... Yes I know it... It was to respond only to Thomas, but when I saw I had sent the question to the entire list... so sorry, thiago ________________________________ De: John Dennis <jdennis@redhat.com> Para: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Thiago Gonzaga B. Galvão <thiagobandinha@yahoo.com.br> Enviadas: Quarta-feira, 14 de Julho de 2010 18:01:23 Assunto: Re: Res: Res: Freeradius kerberos On 07/14/2010 04:16 PM, Thiago Gonzaga B. Galvão wrote:
Hello Thomas, You said me to use something that actually returns a TGT, instead of going through RADIUS... And you quoted WebAuth, Pubcookie or Cosign... But when I use one of them, they will return me really a krbtgt(TGT Kerberos) or a cookie?
As has been suggested earlier you need to take this discussion elsewhere. Radius does not provide single signon thus discussions of how to deploy a single signon solution are off-topic. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 09/07/10 15:17, Thiago Gonzaga B. Galvão wrote:
So, anyone have any ideas how to get the TGT to make de single sign-on that I want?
This is not a Radius issue and not a FreeRadius question, and doesn't belong on this mailing list. Google "mod_auth_kerb"
participants (5)
-
Alan DeKok -
John Dennis -
Phil Mayers -
Thiago Gonzaga B. Galvão -
Thomas Kula