Grouper Users - Open Discussion List

[Chris Hyzer <>]

So is there a password in AD for each user and a password that Kerberos/radius uses for each user?  Or can a user/pass bind to AD happen where AD takes that user/pass and checks against Kerberos/radius so there is one password in the overall system?  We do this for openldap, but just curious if it is possible and someone has done this in AD… or do you standup an SSO password changer to use the SSO (Kerberos) password to be able to change one’s own AD password.

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of THIA Jean-Marie
Sent: Friday, April 13, 2012 3:20 AM
To:
Subject: RE: [grouper-users] Grouper and AD

 

Hi Chris,
For #1, it depends on your authN strategy. It might be helpful to consider AD as an LDAP directory that rely on Kerberos for the authentication mechanism.
So you can rely on Kerberos for SSO from your computer to your app our web app (works very well with IIS, SharePoint). Beside, you may also use CAS for web SSO as CAS can use SPNEGO / SSPI to get the Kerberos ticket (haven't  try that yet)
Hope that helped,
Jean Marie

Envoyé à partir de mon mobile

---

De : Rob Hebron
Envoyé : 12/04/2012 15:53
À :
Objet : Re: [grouper-users] Grouper and AD

On 12/04/12 14:40, Chris Hyzer wrote:
> Penn is planning to install and maintain a central Active Directory service.  A couple of questions:
>
> 1. Does anyone delegate the authentication to kerberos or radius?  How does that work?

For MIT kerberos these may be of interest:

http://projects.oucs.ox.ac.uk/maddox/MADDOX_Final_Report_v1.pdf
http://www.oucs.ox.ac.uk/services/iam/kerberos/ad-xrt-howto.xml

There are many pitfalls, not least that may applications that claim to
support AuthN to AD do not support Kerberos.


Rob