Highlighted
Super Contributor.
Super Contributor.
261 views

LDAP with Kerberos

If Kerberos is configured in eDirectory as an authentication method, I am assuming that when a user puts in their password to imanager or userapp or any other LDAP based service that the LDAP server will see the login method, talk to the kerberos server, retrieve the password locally, verify the password is correct and validate their LDAP authentication.

 

Is this correct? 

Or are we not able to login to iManager via kerberos or other services?


Labels (2)
Tags (3)
0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

No, kerberized services are not provided with users' passwords. Instead, a user agent (e.g. browser or ldapsearch) will preset the user's ticket granting ticket (TGT) to the Authentication Server (a part of the Kerberos KDC) to get a service ticket. Then that service ticket is send to the application server during SASL authentication and verified by the application server.

The Identity Applications can be configured with Kerberos: https://www.netiq.com/documentation/identity-manager-48/identity_apps_admin/data/b1dizhf5.html

As far as I know there is no SSO support in iManager.

--
Norbert
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Gotcha, I was watching a youtube video that seemed to allude additional functionality with the password.

So I am assuming that the kerberos client or LDAP API would store the user's granting ticket. So if anybody was to go to another workstation, their client would have to be updated with their kerberos granting ticket after authenticating, such as to AD.

Something like iManager would have to allow for reading the granting ticket, which I don't think it has for good reason.

I am assuming that UserAPP does have the integration since you can change the method to kerberos. The browser would need to be able to communicate to the kerberos client for the granting key to be sent... is this right?

So in moving forward we need to consider what all of the applications that authenticates into eDirectory and do they allow GSSAPI with the client for the client to store the granting key, does that sound right?

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.