1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • authenticate user via ldap bind

    From alexjl2@alexjl2@thenode.info to kerberos on Mon May 29 12:38:58 2023
    From Newsgroup: comp.protocols.kerberos

    Hi list,

    recently the need arose in our institution to setup a kerberos infrastructure so that
    users can login on windows machines using their institutional credentials. From what I
    remember though from a mit kdc deployment I did many years ago, I had to have the user
    passwords in cleartext in order to create the kerberos principals.

    In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our
    services currently validate user credentials by attempting an LDAP bind either directly or
    via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

    So my question is, is there a way to implement kerberos without knowledge of the plaintext
    passwords, or do we have to somehow capture the credentials during users' login to other
    services and then sync them to the kdc db?

    Thanks,
    John
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Russ Allbery@eagle@eyrie.org to John Alex. via Kerberos on Mon May 29 08:12:40 2023
    From Newsgroup: comp.protocols.kerberos

    "John Alex. via Kerberos" <kerberos@mit.edu> writes:

    In this instance, user passwords are stored in our LDAP server
    (OpenLDAP), hashed. All our services currently validate user credentials
    by attempting an LDAP bind either directly or via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

    So my question is, is there a way to implement kerberos without
    knowledge of the plaintext passwords, or do we have to somehow capture
    the credentials during users' login to other services and then sync them
    to the kdc db?

    Unfortunately, although Kerberos also stores all of the passwords hashed,
    the hashing algorithm used by Kerberos is almost certainly different than
    the hashing algorithm used by LDAP. You therefore need the cleartext
    password in order to create the KDC entry, since the point of hashing is
    that it's not reversible. The only exception would be if somehow Kerberos could be convinced to use the same hashing algorithm as LDAP, but I don't
    think that's the case. (The client and the KDC have to agree on a hashing algorithm, so this isn't a simple thing to do.)
    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
    --- Synchronet 3.21d-Linux NewsLink 1.2