February 26, 2015 at 12:15 pm #3221
I did a SSO with forgerock openAM and OpenID and actually I want to integrate some kerberos services.
I have a linux environment, with ubuntu server 14.04 and OpenLDAP.
I’d like to have authentication on OpenAM and then generate a Kerberos TGT.
I think that I can use a Post-Authentication module that exchanges informations with the KDC, obtain the token and so on…
The problem is that I know the username but I can’t retrieve the user password to execute the kinit command.
VeronicaFebruary 26, 2015 at 12:22 pm #3222
Why inventing the round wheel again? The “Windows Desktop SSO” module will work with Kerberos in Linux as well. The name might be deceiving, but the module is using the GSS-API, so it should work fine with any MIT Kerberos.
Cheers,February 26, 2015 at 12:25 pm #3223
But with that module I can login in browser without change all the other application that I actually have in SSO?
Furthermore, where are tokens (tickets) stored?
Thank for your reply
February 26, 2015 at 12:39 pm #3225
- This reply was modified 7 years, 3 months ago by Skeggy88.
You can use a chain of modules if you like, i.e. have more than one module to be passed successful to be able to authenticate, or optionally select to succeed with only one module.
Did I get it right, you want to use an external Kerberos KDC to authenticate in OpenAM, not the other way around?February 26, 2015 at 12:42 pm #3226
No, I want to login in OpenAM and then obtain a kerberos ticket.
The authentication should happen in openAM and kerberos should trust forgerock and generate a ticket for the user without need the password again (If openAM says that the user is authenticated, kerberos accepts it)February 26, 2015 at 12:48 pm #3227
Or better, is possible a token conversion from OpenAM token to Kerberos ticket?
Thanks again.February 26, 2015 at 1:07 pm #3228
But you need to be authenticted in the KDC to obtain a ticket.
The way the WinSSO OpenAM Authentication Module works is by trusting that the KDC has already authenticated the user.
If the user is already authenticated in the KDC, then you don’t need to authenticate it, the WinSSO module will pass, and it will obtain the Kerberos ticket you need.
The SSO Token does not contain credentials, so you can not obtain the password needed by the KDC to obtain a Kerberos ticket.
What are you trying to do?February 26, 2015 at 1:43 pm #3229
Here more info about how the WinSSO Module works in OpenAM:
February 26, 2015 at 2:24 pm #3231
- This reply was modified 7 years, 3 months ago by Victor Ake.
Ok, I understand but I need to know where the kerberos tickets are stored (in the client machine or KDC/OpenAM server) and if this ticket can be used by the client machine (for example performing ssh).
Do you have more docs about this subject?
Thank for your helpFebruary 27, 2015 at 10:15 am #3246
I followed the guide that you sent me. The error 401 disappear after browser settings and I can login into openAM. But I can’t access with a user that is only present on Kerberos DB (and not in OpenID).
Furthermore, I’d like to know where the kerberos tickets are stored (in the client machine or KDC/OpenAM server) and if this ticket can be used by the client machine (for example performing ssh).
VeronicaFebruary 27, 2015 at 3:13 pm #3260
Have you tried disabling the parameter “User Profile” Required in the “All Core Settings” of the Authentication tab for the realm? That will allow you to authenticate in OpenAM without the need of having a profile in OpenAM.
If you see the diagram I referred to, you will see:
6. The TGT obtained by the user’s browser is returned to the OpenAM.
7. OpenAM decrypts the TGT with the previously configured key
8. OpenAM Authenticates the user with the KDC/AD by using the Kerberos
So the module gets a TGT, because the browser negotiates the TGT with the KDC, and it gets inserted in the Authorization header. You can check the source code of the module, and check a little bit on how Kerberos work to see if you can implement what you want.
Or Perhaps what you want is to create a PAM module in your Unix servers that are able to consume an OpenAM SSO Token, instead, if what you want is to SSH?
Cheers,February 27, 2015 at 3:48 pm #3263
Yes, I disabled it but never changed.
I have already written a custom PAM module to use for Samba login (web samba client), but I can’t do the same with SSH (not web).
Thanks for all your advices, I’ll try again and again :P
You must be logged in to reply to this topic.