LDAP with Kerberos
If Kerberos is configured in eDirectory as an authentication method, I am assuming that when a user puts in their password to imanager or userapp or any other LDAP based service that the LDAP server will see the login method, talk to the kerberos server, retrieve the password locally, verify the password is correct and validate their LDAP authentication.
Is this correct?
Or are we not able to login to iManager via kerberos or other services?
No, kerberized services are not provided with users' passwords. Instead, a user agent (e.g. browser or ldapsearch) will preset the user's ticket granting ticket (TGT) to the Authentication Server (a part of the Kerberos KDC) to get a service ticket. Then that service ticket is send to the application server during SASL authentication and verified by the application server.
The Identity Applications can be configured with Kerberos: https://www.netiq.com/documentation/identity-manager-48/identity_apps_admin/data/b1dizhf5.html
As far as I know there is no SSO support in iManager.
Gotcha, I was watching a youtube video that seemed to allude additional functionality with the password.
So I am assuming that the kerberos client or LDAP API would store the user's granting ticket. So if anybody was to go to another workstation, their client would have to be updated with their kerberos granting ticket after authenticating, such as to AD.
Something like iManager would have to allow for reading the granting ticket, which I don't think it has for good reason.
I am assuming that UserAPP does have the integration since you can change the method to kerberos. The browser would need to be able to communicate to the kerberos client for the granting key to be sent... is this right?
So in moving forward we need to consider what all of the applications that authenticates into eDirectory and do they allow GSSAPI with the client for the client to store the granting key, does that sound right?