We have a department that would like to use IPA, but would like users to use their University passwords.
I conjecture that we can do that by generating users with random passwords, but setting the default authentication as RADIUS, and using a RADIUS server that authenticates with the University using LDAP.
Does this sound workable?
On to, 31 elo 2017, Charles Hedrick via FreeIPA-users wrote:
We have a department that would like to use IPA, but would like users to use their University passwords.
I conjecture that we can do that by generating users with random passwords, but setting the default authentication as RADIUS, and using a RADIUS server that authenticates with the University using LDAP.
Does this sound workable?
This would only work for Kerberos and would require use of 2FA feature because we only support RADIUS-based authentication for Kerberos. In this case Kerberos KDC needs to get access to a plain-text of a password that will be forwarded to a RADIUS server and it means it has to use a FAST channel (in Kerberos terms). So this all would work for SSSD on enrolled IPA clients starting with RHEL 7.0 or similar version of CentOS (or Fedora 22+ if I recall correctly).
For LDAP binds this is not a supported configuration.
freeipa-users@lists.fedorahosted.org