Authenticate to LDAP with GSSAPI
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Jun 15 19:24:19 CEST 2015
> On Jun 15, 2015, at 10:36 AM, Isaac Boukris <iboukris at gmail.com> wrote:
>
> On Sun, Jun 14, 2015 at 10:19 PM, brendan kearney <bpk678 at gmail.com> wrote:
>>> Well, keytab contains the key[s] (which may have been derived from
>>> user's secret) so AFAI understand they are password equivalent.
>>>
>>> Regards,
>>> Isaac B.
>>
>> agreed, hence my "less insecure" notion, but those Risk Management types
>> can check their check box about passwords not being stored in the clear on
>> the file system.
>
> To be more accurate it might depend on the key type.
> Generally RC4 keys are unsalted hash of the password (specifically
> nt-hash, see RFC 4757).
> Perhaps salted keys could be considered somewhat better.
Ok, well for service authentication, as Isaac quite rightly said, KRB5_CLIENT_KTNAME is the environmental variable you need to specify the keytab.
Once you have that set, SASL/GSSAPI should just work in v3.0.x HEAD rlm_ldap.
I got about 70% through writing the used auth/autz modifications last night, i'll try push those up today. They'll be v3.1.x only until someone tests them and verifies they work, and don't break other kerberos operations.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150615/086d30a4/attachment.sig>
More information about the Freeradius-Users
mailing list