Re: authenticate user via ldap bind

[Charles Hedrick via Kerberos]

Freeipa (and presumably MIT kerberos) has the ability to delegate password 
checking to radius. This is intended to support two factor authentication, but 
it doesn't have to use two factors. So in principle you could use that and not 
have separate copies of the password in your kerberos. I've tested this but not 
used it in production. I wanted to be able (if necessary) to use our campus 
passwords for our users, so they don't need separate passwords in our 
departmental kerberos system.

At least in freeipa, the authentication technology used is a user attribute. So 
you could use native Kerberos, possibly with the native two factor support, for 
some users and pass the others to a radius server. You can also have more than 
one radius server, for different users.


From: Kerberos  on behalf of John Alex. via Kerberos 

Sent: Monday, May 29, 2023 5:38 AM
To: kerberos@mit.edu 
Subject: authenticate user via ldap bind

Hi list,

recently the need arose in our institution to setup a kerberos infrastructure 
so that
users can login on windows machines using their institutional credentials. From 
what I
remember though from a mit kdc deployment I did many years ago, I had to have 
the user
passwords in cleartext in order to create the kerberos principals.

In this instance, user passwords are stored in our LDAP server (OpenLDAP), 
hashed. All our
services currently validate user credentials by attempting an LDAP bind either 
directly or
via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

So my question is, is there a way to implement kerberos without knowledge of 
the plaintext
passwords, or do we have to somehow capture the credentials during users' login 
to other
services and then sync them to the kdc db?

Thanks,
John

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: authenticate user via ldap bind

[Russ Allbery]

"John Alex. via Kerberos"  writes:

> In this instance, user passwords are stored in our LDAP server
> (OpenLDAP), hashed. All our services currently validate user credentials
> by attempting an LDAP bind either directly or via another protocol
> implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

> So my question is, is there a way to implement kerberos without
> knowledge of the plaintext passwords, or do we have to somehow capture
> the credentials during users' login to other services and then sync them
> to the kdc db?

Unfortunately, although Kerberos also stores all of the passwords hashed,
the hashing algorithm used by Kerberos is almost certainly different than
the hashing algorithm used by LDAP.  You therefore need the cleartext
password in order to create the KDC entry, since the point of hashing is
that it's not reversible.  The only exception would be if somehow Kerberos
could be convinced to use the same hashing algorithm as LDAP, but I don't
think that's the case.  (The client and the KDC have to agree on a hashing
algorithm, so this isn't a simple thing to do.)

-- 
Russ Allbery (ea...@eyrie.org) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos