Freeipa (and presumably MIT kerberos) has the ability to delegate password checking to radius. This is intended to support two factor authentication, but it doesn't have to use two factors. So in principle you could use that and not have separate copies of the password in your kerberos. I've tested this but not used it in production. I wanted to be able (if necessary) to use our campus passwords for our users, so they don't need separate passwords in our departmental kerberos system.
At least in freeipa, the authentication technology used is a user attribute. So you could use native Kerberos, possibly with the native two factor support, for some users and pass the others to a radius server. You can also have more than one radius server, for different users. ________________________________ From: Kerberos <kerberos-boun...@mit.edu> on behalf of John Alex. via Kerberos <kerberos@mit.edu> Sent: Monday, May 29, 2023 5:38 AM To: kerberos@mit.edu <kerberos@mit.edu> Subject: authenticate user via ldap bind Hi list, recently the need arose in our institution to setup a kerberos infrastructure so that users can login on windows machines using their institutional credentials. From what I remember though from a mit kdc deployment I did many years ago, I had to have the user passwords in cleartext in order to create the kerberos principals. In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our services currently validate user credentials by attempting an LDAP bind either directly or via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc). So my question is, is there a way to implement kerberos without knowledge of the plaintext passwords, or do we have to somehow capture the credentials during users' login to other services and then sync them to the kdc db? Thanks, John ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos