Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Emotions are alien to me. I'm a scientist. -- Spock, "This Side of Paradise", stardate 3417.3

devel / comp.protocols.kerberos / authenticate user via ldap bind

SubjectAuthor
o authenticate user via ldap bindalexjl2

1
authenticate user via ldap bind

<mailman.83.1685353148.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=366&group=comp.protocols.kerberos#366

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: alexjl2@thenode.info
Newsgroups: comp.protocols.kerberos
Subject: authenticate user via ldap bind
Date: Mon, 29 May 2023 12:38:58 +0300
Organization: TNet Consulting
Lines: 17
Message-ID: <mailman.83.1685353148.1964.kerberos@mit.edu>
References: <8734baf3-fb80-baad-01b6-b214907813b1@thenode.info>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="12595"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Thunderbird/102.11.0
To: kerberos@mit.edu
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=thenode.info
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1685353146; cv=pass;
b=AYy5nQM4JBx5SSKKOMINNQeF5sy7RUJ5FjFZOvuP4PNTdcGXmBLhKQkCkPb0VRQYqmjXUOqqiRL8ijKM6LcJBIuDMiMttF4BLmbhynCEeibpgU7Yo0A3LSosfV75370cYTHf8EHucQScMm4sJ9CptKVEhhIwt/f6OVmNamUT2IRVWNX5XzYIGZM8AdwZd3Ru2PcqqWXEoHWY9svVt83lLPh4W/kN6PTs/aI0ebn5b1RvHwOYtcshj15wvNQuHNaZR/tOfnchMrptjjBHioCGcO5gRDur4l8+nB+g9X+giGAhAjg0gpcwTF99DIgYLmuZjbtjFpbiUbTiKh305a4gbw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1685353146;
c=relaxed/relaxed; bh=wpM5eyj2pATvPinWPVL5MYP6VLxB6l6xM+bR12CHarI=;
h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version:From:
Subject:To;
b=IxnI2uKd0c0LAxAuAN7oD0gD7J5xmd9ISnNRDL49L0zueAc60r8yoLMOSzwphLqiYzyBXUWM4jPNgi75m1fAJ++ZVPb6hTxnPOzrx/TJv5xkxi09Iz6926+MO7bAWPbY2gwM48nUlXUQUkWAHW6C+6A3+lnqSgTyloVb0M/VVM0sNdcagL6uZ4hdc96dekcIGMPmtWArGwNwozjhOdVmk3646Pv392ZfrRmO0q2r6+nVsDdFzEmN9bCJrVsLWhFTUFaynS/9aj1c8mDd0UzRlKA0TB1LZ1QUn+VEfr4MxTeJnglHVL0WVtpNYtMVTWHTp0MwzfN6Wvxy7SorE7N0sg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=M0cmZ9bN;
dkim=pass (2048-bit key) header.d=thenode.info header.i=@thenode.info
header.b=JAZkPww7
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=M0cmZ9bN;
dkim=pass (2048-bit key) header.d=thenode.info header.i=@thenode.info
header.b=JAZkPww7
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=B1Ls7DGgoNr5xBbu83Y2jWwQEzTckkGG91rhY0zcubrGWXgacNM0KB6bbGk+rHw4jyvoEgybopa1FjyzhWpErg8//lAn53tauua3KLARWLCWmvy99ZkzvPaVrisbBbOP6enqOfGLvDq+41Sq7j0EqBQZluh34Z4bw+rECnl84UNmFMRILSh+PK9gjaGbf1rOwzWzblXLm+pARYRLWOjV/t8FsmFYq7Qm0YrXa4zfGu+FSTP8nnGTDu6GWYhpatzhd3bbM+8X6fpKzP4bY4K6r8stQbHR3nYJ8KM2yqbDH7vB3/x866zqGUGT+pmAWt4BUXsVyS8DtdV9kw9/jZHk9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=wpM5eyj2pATvPinWPVL5MYP6VLxB6l6xM+bR12CHarI=;
b=bl5G4KFdUb/Uk5aU/kib/KYJuPD+WYO+c6G3/2FrJWHPSdIKHX0CIqIQSv4GaMh60+2hUkW/+vz0QMR+q6Bw035JUC7yiYlsvPEJry4++lvT1jFCvKJORfjIQ73kgV/HxLjrAySeqhXUeEG4F43AObi1EDMyyCozQ7KgofceClZqfujQRPo4iIjufrMJUf85KNoNykdvOCn9TB2dsJUQ5b247sy6WA8mfTuGsQnI4iRufPWFQN/qZsYU3NHDUXUdnFCGcDnmvhQ4CGtkTou6UGY/QQAq00/fzklRjWS+7hgnjDbgH1yi1LjwSNVhg06DYvttsSF3s8EAywvKfnJSrQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
91.228.52.143) smtp.rcpttodomain=mit.edu smtp.mailfrom=thenode.info;
dmarc=pass (p=reject sp=reject pct=100) action=none header.from=thenode.info;
dkim=pass (signature was verified) header.d=thenode.info; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=wpM5eyj2pATvPinWPVL5MYP6VLxB6l6xM+bR12CHarI=;
b=M0cmZ9bNtf2PdgVzThOVCzWxlGuMXeD96Gc8cFFeoV0lAmYkhN4wqQn9Y3pAp105s0XlD6jE1VxsEwSirTg5E5pxN0nsKfDoH4ymI8fS1Wz/oBquk+q9VQReghvz6nkWaw/lrOlUarHCXvU4lUHcJkamIfUv6byUNYf+ekJjvQo=
Authentication-Results: spf=pass (sender IP is 91.228.52.143)
smtp.mailfrom=thenode.info; dkim=pass (signature was verified)
header.d=thenode.info;dmarc=pass action=none header.from=thenode.info;
Received-SPF: Pass (protection.outlook.com: domain of thenode.info designates
91.228.52.143 as permitted sender)
receiver=protection.outlook.com;
client-ip=91.228.52.143; helo=mail.thenode.info; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thenode.info;
s=20201208; t=1685353139;
bh=wpM5eyj2pATvPinWPVL5MYP6VLxB6l6xM+bR12CHarI=;
h=Message-ID:Date:MIME-Version:From:Subject:To;
b=JAZkPww7HJuKAPbbbZ6tVwsC0xj+xY9Bn5MSNXPV5D3S/lEAly4Hkuzzf8bbnFdH8
A0An7PyiHWOBIcNeRhni3AHcGyb6Z5bTsLRAgP7T57wjf+O+pSFmndx0Bz9U/CsOX6
LnIDq6v1YMWW0bWMjwXhDXzMjxiRx7gLAWhLxMIwT5mlmifj8YCp8EnW5qQr0kf2ln
14zgWBV4S6OS4pHlKA6jPvVSEd24/cFseP8syKbCsJJfny6jqGff5APbGTrlrJmfBE
9hDGrfMv+ltp4PQ5JJU+RgXBw0Wv2of41HLvAuTcFhqYlebJ9BPXPsj6FX00kJPF5m
8huf73fRcJZog==
Content-Language: en-US
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN8NAM11FT083:EE_|DM4PR01MB7810:EE_
X-MS-Office365-Filtering-Correlation-Id: 1e19b5c7-37d0-482e-5e6e-08db6028882b
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: jyiSCOJwybjlHz5ykU3UCvjeu3KRYlv1s4bRWNoJqTz0YNw6S0gri/h5qe05Tt9Z6hMyBs6nNthqUY5eKHlGjqJEOqha65/RpS9B16OVYvWv0G9t7/zgNxyKFjx8XC9y0hNpW/a0KJxrwEc0IkRsFWFNHyPVCDqctukE6TqzvpstVF8ofKiDGLNUmno/19fSCLXebk7SE21xcxGcrGMIryMHFsuno7XyVOxwyNfMlipjYjzWSMEOgAJH3ruAYVzY5Cia7FsYhr1C6TAsLGuw92GxMJV8fnrcbluPaLie5kjRSvR7ea4ikOffUHC+SVyJJRhJW/XZ6aHwi3blmv3W/vZmikVP1WapkuHjainNWy7v0KjxueP8NHJmUuEcymveEoqtTz2eVNfpuJ/9H2JO9pT4oVgzi7CaJUZdTkIYzR2oQ0tqYOk//0JI0ZroFsyylKOOTM0NNNZ6jFstgLAJvp7JvglFRRj897jTG/elO5yPwFk6yjKy8H22uY4C3kDfGConGO1jXpXbLAVlzwxrqMm7bbX6TPemqQsKLI2jP4OpD5uhk9+Lh4Pl6eYmwllcfIJWNxaDj84B0yMY1Zko96PeRydwEH9UBhuwIc+fEdVcx4zMbt0RYe++m2RXDQw6hSErAMl4m8jLMKIoxW+T0XgAH1EwTNy07u3qMN3D1Sobtfupyr0O0EvxszwcdRZeubhH2wCTqZ+2ejf+/NPaLVwxmpIznr3m7XrfHRsjiFzTPVx8K2hktVU9LmSV9qUcamZfGx84do5mWS0WetL2GA==
X-Forefront-Antispam-Report: CIP:91.228.52.143; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail.thenode.info; PTR:mail.thenode.info; CAT:NONE;
SFS:(13230028)(4636009)(451199021)(31686004)(6966003)(7636003)(7596003)(356005)(508600001)(86362001)(70586007)(83380400001)(68406010)(2616005)(66899021)(336012)(31696002)(4744005)(2906002)(9686003)(6266002)(26005)(786003)(316002)(36756003)(5660300002)(8676002)(34206002)(16220200001)(45842011)(19956002)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 May 2023 09:39:00.0215 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1e19b5c7-37d0-482e-5e6e-08db6028882b
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT083.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR01MB7810
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <8734baf3-fb80-baad-01b6-b214907813b1@thenode.info>
 by: alexjl2@thenode.info - Mon, 29 May 2023 09:38 UTC

Hi list,

recently the need arose in our institution to setup a kerberos infrastructure so that
users can login on windows machines using their institutional credentials. From what I
remember though from a mit kdc deployment I did many years ago, I had to have the user
passwords in cleartext in order to create the kerberos principals.

In this instance, user passwords are stored in our LDAP server (OpenLDAP), hashed. All our
services currently validate user credentials by attempting an LDAP bind either directly or
via another protocol implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

So my question is, is there a way to implement kerberos without knowledge of the plaintext
passwords, or do we have to somehow capture the credentials during users' login to other
services and then sync them to the kdc db?

Thanks,
John

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor