On 07/07/2010 06:21 PM, Thiago Gonzaga B. Galvão wrote:
Hi guys,
I have the following situation on my network...
I have an Openldap server working as well, and it stores all my users
informations...
I configure a Kerberos server to use this openldap as a backend...
We would like to implement an Single Sign On to our "web intranet" using
kerberos tickets...
The user will authenticates onto a freeradius server, it will refer to
external source kerberos, and kerberos will be configured with openldap
backend (the openldap server that i have).
Is it possible??? Instead of freeradius directly authenticates to ldap,
it would pass by kerberos, and kerberos communicates with openldap... if
userame/passwork ok, the user will be authenticated and receive a
kerberos's ticket...
That's not how Kerberos works. What FreeRADIUS can do is obtain a TGT
(ticket granting ticket) on behalf of the user using the supplied
password. If the TGT request succeeds FreeRADIUS considers that a
successful authentication. The problem is the TGT, which is *necessary*
for single signon (software on behalf of the user supplies the TGT when
necessary) is not available because it's not returned in the radius
protocol. The TGT obtained by FreeRADIUS on behalf of the user is
effectively thrown away and is not available for further use.
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
