Res: Freeradius kerberos
Thiago Gonzaga B. Galvão
thiagobandinha at yahoo.com.br
Fri Jul 9 16:17:30 CEST 2010
So, anyone have any ideas how to get the TGT to make de single sign-on that I
De: John Dennis <jdennis at redhat.com>
Para: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Thiago Gonzaga B. Galvão <thiagobandinha at yahoo.com.br>
Enviadas: Quinta-feira, 8 de Julho de 2010 10:56:42
Assunto: Re: Freeradius kerberos
On 07/07/2010 06:21 PM, Thiago Gonzaga B. Galvão wrote:
> Hi guys,
> I have the following situation on my network...
> I have an Openldap server working as well, and it stores all my users
> I configure a Kerberos server to use this openldap as a backend...
> We would like to implement an Single Sign On to our "web intranet" using
> kerberos tickets...
> The user will authenticates onto a freeradius server, it will refer to
> external source kerberos, and kerberos will be configured with openldap
> backend (the openldap server that i have).
> Is it possible??? Instead of freeradius directly authenticates to ldap,
> it would pass by kerberos, and kerberos communicates with openldap... if
> userame/passwork ok, the user will be authenticated and receive a
> kerberos's ticket...
That's not how Kerberos works. What FreeRADIUS can do is obtain a TGT (ticket
granting ticket) on behalf of the user using the supplied password. If the TGT
request succeeds FreeRADIUS considers that a successful authentication. The
problem is the TGT, which is *necessary* for single signon (software on behalf
of the user supplies the TGT when necessary) is not available because it's not
returned in the radius protocol. The TGT obtained by FreeRADIUS on behalf of the
user is effectively thrown away and is not available for further use.
-- John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users