0

I am currently building a system where I would like to deploy Kerberos. However my external constraints on the user management do not allow me to authenticate the users against Kerberos itself. I do have to authenticate the users against a third party LDAP Server and I can not read the passwords from that.

I do however get the answer whether the authentication was successful or not. I would now like to automatically grant those users a Kerberos ticket for their principal if this authentication is successful. Is there any way that Kerberos can be set up to authenticate via SASL against a third party the password passed to it?

One solution I possibly see is to create keytab files in the users home directories which are automatically used by an init script to aquire Kerberos tickets. However I see a potential for misuse of these keytab files and would prefer a password based alternative.

Blackclaws
  • 276
  • 1
  • 2
  • 5

1 Answers1

1

What you want to do is to separate the Ticket Granting Server and the Authentication Server. It is theoretically possible, but there seems to be no implementation. This question was already answered here:

Kerberos: Separating AS and TGS

What should be possible is to do Kerberos Cross Realm Authentication. Perhaps this could help you!?

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-kerberos-crossrealm.html

Peter Pender
  • 26
  • 3