This topic has 11 replies, 2 voices, and was last updated 7 years, 2 months ago by 
-
Posts
-
Hi everyone,
I did a SSO with forgerock openAM and OpenID and actually I want to integrate some kerberos services.
I have a linux environment, with ubuntu server 14.04 and OpenLDAP.I’d like to have authentication on OpenAM and then generate a Kerberos TGT.
I think that I can use a Post-Authentication module that exchanges informations with the KDC, obtain the token and so on…
The problem is that I know the username but I can’t retrieve the user password to execute the kinit command.
Any suggestion??
Thanks,
VeronicaVeronica,
Why inventing the round wheel again? The “Windows Desktop SSO” module will work with Kerberos in Linux as well. The name might be deceiving, but the module is using the GSS-API, so it should work fine with any MIT Kerberos.
Cheers,You can use a chain of modules if you like, i.e. have more than one module to be passed successful to be able to authenticate, or optionally select to succeed with only one module.
Did I get it right, you want to use an external Kerberos KDC to authenticate in OpenAM, not the other way around?
No, I want to login in OpenAM and then obtain a kerberos ticket.
The authentication should happen in openAM and kerberos should trust forgerock and generate a ticket for the user without need the password again (If openAM says that the user is authenticated, kerberos accepts it)But you need to be authenticted in the KDC to obtain a ticket.
The way the WinSSO OpenAM Authentication Module works is by trusting that the KDC has already authenticated the user.
If the user is already authenticated in the KDC, then you don’t need to authenticate it, the WinSSO module will pass, and it will obtain the Kerberos ticket you need.
The SSO Token does not contain credentials, so you can not obtain the password needed by the KDC to obtain a Kerberos ticket.
What are you trying to do?
Here more info about how the WinSSO Module works in OpenAM:
https://wikis.forgerock.org/confluence/display/openam/How+does+OpenAM+work+with+Windows+Desktop+SSOOk, I understand but I need to know where the kerberos tickets are stored (in the client machine or KDC/OpenAM server) and if this ticket can be used by the client machine (for example performing ssh).
Do you have more docs about this subject?
Thank for your helpI followed the guide that you sent me. The error 401 disappear after browser settings and I can login into openAM. But I can’t access with a user that is only present on Kerberos DB (and not in OpenID).
Furthermore, I’d like to know where the kerberos tickets are stored (in the client machine or KDC/OpenAM server) and if this ticket can be used by the client machine (for example performing ssh).
Thanks,
VeronicaHave you tried disabling the parameter “User Profile” Required in the “All Core Settings” of the Authentication tab for the realm? That will allow you to authenticate in OpenAM without the need of having a profile in OpenAM.
If you see the diagram I referred to, you will see:
6. The TGT obtained by the user’s browser is returned to the OpenAM.
7. OpenAM decrypts the TGT with the previously configured key
8. OpenAM Authenticates the user with the KDC/AD by using the Kerberos
decrypted ticketSo the module gets a TGT, because the browser negotiates the TGT with the KDC, and it gets inserted in the Authorization header. You can check the source code of the module, and check a little bit on how Kerberos work to see if you can implement what you want.
Or Perhaps what you want is to create a PAM module in your Unix servers that are able to consume an OpenAM SSO Token, instead, if what you want is to SSH?
Cheers,
You must be logged in to reply to this topic.
