Kerberos Hardware Pre_auth
John Dennis
jdennis at redhat.com
Thu Aug 20 21:32:34 CEST 2009
On 08/20/2009 01:05 PM, Larry Ross wrote:
> Good Morning All;
>
> I am looking for direction into correcting an issue with FR 2.X
> authenticating against a Krb5 directory with Hardware Pre-Auth enabled.
> Currently I am not finding any luck in getting this off the ground.
I don't know what Hardware Pre-Auth is, I presume you mean Kerberos
Pre-Authentication. I also don't know what a Krb5 directory is, I
presume you mean binding to a LDAP directory using Kerberos and not
performing Kerberos authentication against a KDC. In the future please
try to use the correct terminology so we don't have to guess how to help
you.
The rlm_ldap module can only do simple binds with a password. If you
want to perform a LDAP bind with Kerberos the rlm_ldap would have to use
SASL with the GSSAPI mechanism. I have a patch which does this (but it's
against the old 1.x rlm_ldap).
If you mean Kerberos authentication against a KDC you're also out of
luck, rlm_krb5 does not provide Kerberos pre-authentication data nor
does it respond to the KDC_ERR_PREAUTH_REQUIRED message. Patches welcome.
You may have better luck disabling pre-authenication.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list