We are re-architecting our whole authentication backend, and I am having a hard time trying to understand how Kerberos, LDAP, and RADIUS can all fit together. We currently use RADIUS and LDAP to do AAA, and group based security, but we are going to want to have an SSO functionality (thus introducing kerberos).
I think I can see how Kerberos and LDAP fit together, with group based security: A user will authenticate with Kerberos¹ authentication server, then attempt to be assigned a ticket with the ticket granting server the ticket granting server will query LDAP to see if a user has access to the resource, based on the groups that user is a part of. My problem is trying to figure out where RADIUS comes into the mix. It seems like there can be two options, but both seem to have problems: 1. Have authentication point to Kerberos server which will authenticate against radius : but this doesn¹t make sense because when you authenticate against Kerberos, there is no password passed from client to server, so how will Kerberos be able to tell if that user/pass is accepted via Radius. 2. Have authentication point to radius, and have it authenticate against Kerberos : this defeats a whole security aspect of Kerberos not passing the users password to the server, and how is it possible for the client to have the Kerberos ticket? Maybe I am missing something, or maybe this is just not possible. Any insight/tutorials/etc. would be helpful there is not much on this topic available. Thanks. -- MAT ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
