Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Grouper and AD

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Grouper and AD


Chronological Thread 
  • From: THIA Jean-Marie <>
  • To: "" <>
  • Subject: RE: [grouper-users] Grouper and AD
  • Date: Fri, 13 Apr 2012 18:14:54 +0000
  • Accept-language: fr-FR, en-US
I don't have a deep knowledge of AD internal. For me, Kerberos is the unique password vault for AD, so there is only one password in the system. You can achieve this with openLdap and a Linux Kerberos package.
I don't know about radius but when dealing with AD you end up using kerb or NTLM.

Jean Marie
Envoyé depuis un mobile
De : Chris Hyzer
Envoyé : 13/04/2012 18:22
À : THIA Jean-Marie;
Objet : RE: [grouper-users] Grouper and AD

So is there a password in AD for each user and a password that Kerberos/radius uses for each user?  Or can a user/pass bind to AD happen where AD takes that user/pass and checks against Kerberos/radius so there is one password in the overall system?  We do this for openldap, but just curious if it is possible and someone has done this in AD… or do you standup an SSO password changer to use the SSO (Kerberos) password to be able to change one’s own AD password.

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of THIA Jean-Marie
Sent: Friday, April 13, 2012 3:20 AM
To:
Subject: RE: [grouper-users] Grouper and AD

 

Hi Chris,
For #1, it depends on your authN strategy. It might be helpful to consider AD as an LDAP directory that rely on Kerberos for the authentication mechanism.
So you can rely on Kerberos for SSO from your computer to your app our web app (works very well with IIS, SharePoint). Beside, you may also use CAS for web SSO as CAS can use SPNEGO / SSPI to get the Kerberos ticket (haven't  try that yet)
Hope that helped,
Jean Marie

Envoyé à partir de mon mobile

De : Rob Hebron
Envoyé : 12/04/2012 15:53
À :
Objet : Re: [grouper-users] Grouper and AD



On 12/04/12 14:40, Chris Hyzer wrote:
> Penn is planning to install and maintain a central Active Directory service.  A couple of questions:
>
> 1. Does anyone delegate the authentication to kerberos or radius?  How does that work?

For MIT kerberos these may be of interest:

http://projects.oucs.ox.ac.uk/maddox/MADDOX_Final_Report_v1.pdf
http://www.oucs.ox.ac.uk/services/iam/kerberos/ad-xrt-howto.xml

There are many pitfalls, not least that may applications that claim to
support AuthN to AD do not support Kerberos.


Rob


Archive powered by MHonArc 2.6.16.

Top of Page