Authenticate to LDAP with GSSAPI

Isaac Boukris iboukris at gmail.com
Sun Jun 14 19:53:48 CEST 2015


Hi,

On Sun, Jun 14, 2015 at 8:13 PM, brendan kearney <bpk678 at gmail.com> wrote:
> On Jun 14, 2015 12:31 PM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
> wrote:
>>
>> Maybe, if other people want that, could they speak up now? Or are other
> people wanting the same type of authentication as the OP described?
>>
> Speaking up...
>
> While I would like the ability to have radius authenticate to ldap via
> kerberos ticketing / keytab / gssapi / sasl,  my scenario would differ in
> that I am only using ldap for AuthZ.  AuthN is handled by my kerberos
> instances.

If I got Arran's comment correctly then setting KRB5_CLIENT_KTNAME
could work for that (KRB5_KTNAME is for acceptors, not initiators AFAI
understand: http://web.mit.edu/kerberos/krb5-1.13/doc/basic/keytab_def.html).
Or you are concern it might impact on the AuthN modules?
I haven't tested or actually looked at the code just thinking outloud.

> I see application of keytab usage also benefiting interactions with AD.
>
> Maybe its just me, but I see the use of a keytab as "more secure" or maybe
> "less insecure" than having a password in a config file.  Granted file
> permissions and the use of a "throw away ID" are best practices for this
> kind of setup, I still would favor the keytab use in addition to those
> steps.

Well, keytab contains the key[s] (which may have been derived from
user's secret) so AFAI understand they are password equivalent.

Regards,
Isaac B.


More information about the Freeradius-Users mailing list