Full-blown Authentication System

In the next few blog posts I would like to explain how you could setup a full-blown authentication system, since some information is available but a lot is outdated and is scattered all over the Internet.

For this setup I will use:

  • MITv5 Kerberos
  • OpenLDAPv3
  • FreeRADIUS
  • Ubuntu 11.10


Kerberos will be used to authenticate the users. LDAP is used as a kerberos principals database and to store extra information about a user. Since a web portal or other tools do not support kerberos authentication in many cases, we will use LDAP also for that. RADIUS will allow users to log in to switches or routers, using kerberos principals. The LDAP and kerberos databases will be replicated (or propagated as it is called for kerberos) to a second server for failover purposes.
The following architectural drawing should make it more clear:

[authentication systems architecture][1]

I divided the ‘tutorial’ into seven main steps, which are:

  1. [Installation and basic configuration of OpenLDAP and MITv5 Kerberos][2]
  2. [Linking OpenLDAP with MITv5 Kerberos][3]
  3. [Linking FreeRADIUS][4]
  4. [Replication][5]
  5. [Hardening your setup][6]
  6. [Configure your clients][7]
  7. [Varia][8]