> On Nov 13, 2015, at 10:50 , Mohamed Hamid
> <[email protected]> wrote:
>
> Hi Louis
>
> Many thanks for your kind reply..
>
> To clarify
>
> I do not store any password hashes in OpenLDAP, all hashes are kept in
> kerberos. I use SASL to bridge incoming user auth requests between OpenLDAP
> and Kerberos.
>
> So openLDAP does not see any hashes..
>
> Can user based authentication still be achieved here?
Without the hashes you cannot authenticate using PEAP.
That is not a limitation of PacketFence but of the PEAP protocol itself.
What you could try is setting up a captive-portal that authenticates users
against your LDAP directory and then use provisioning to configure EAP-TLS
authentication with your own Certification Authority.
It’s hard to recommend something for sure not knowing the details of your
existing configuration.
You may have to play around with PacketFence a bit to find what works best for
you.
Your real difficulty will be that devices (especially windows) often don’t
support anything apart from PEAP and EAP-TLS with PKI.
Those are the two protocols that work the best, but without hashes you cannot
use PEAP and EAP-TLS will require that you distribute the CA and client
certificates as well as configure the supplicants to use them.
Keep us informed. Those look like interesting problems to have (which is I
believe, an old chinese curse).
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
