On to, 31 elo 2017, Charles Hedrick via FreeIPA-users wrote:
We have a department that would like to use IPA, but would like users to use
their University passwords.
I conjecture that we can do that by generating users with random
passwords, but setting the default authentication as RADIUS, and using
a RADIUS server that authenticates with the University using LDAP.
Does this sound workable?
This would only work for Kerberos and would require use of 2FA feature
because we only support RADIUS-based authentication for Kerberos. In
this case Kerberos KDC needs to get access to a plain-text of a password
that will be forwarded to a RADIUS server and it means it has to use a
FAST channel (in Kerberos terms). So this all would work for SSSD on
enrolled IPA clients starting with RHEL 7.0 or similar version of CentOS
(or Fedora 22+ if I recall correctly).
For LDAP binds this is not a supported configuration.
/ Alexander Bokovoy
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org