[Fedora-directory-users] Single Sign On

David Boreham david_list at boreham.org
Tue Nov 14 14:18:14 UTC 2006 

Gordon May wrote:

> I was wondering if anyone can help me with setting up a single sign on 
> system. I want my users to be able to sign on once and have access to 
> all areas of our site. Ie Forum, wiki, Trac, SVN, etc. From what I've 
> read it looks like Kerberos will be needed for this.

Hmm. What exactly do you mean by 'single sign on' ?
Do you mean this : user approaches workstation, enters username and
password. User then uses all the above apps for the remainder of
the day without entering their username or password again.

Or this: user uses various applications, supplying each with _the_same_ 
username
and password ? When they want to change their password, they only need
change it in one place.

If you are looking for the former then this is SSO, and it does
require Kerberos. (In theory you can use other technologies
such as smart cards, thumb readers, retinal scanners etc
but for most folk today SSO means kerberos).

The reason I'm not sure if you are looking for 'real' SSO
is that in your list of applications above you include quite a
few where the client is a web browser. This would mean
that you'd need kerberos support in the browser and also
in the web server. This is hard to find today. Microsoft
products are the only widely deployed solution that I
am aware of.

If all you're after is to have one password and a central
authentication service for multiple applications then that
doesn't need Kerberos, just LDAP. In that case you just
need to LDAP enable all your apps (web servers etc).

> Is there a way to do this without Kerberos?

If you want SSO then no.

> Is there a single tool that I can use to manage user passwords and 
> FDS? Ie User account creation, deletion, updating, password resets, etc.

Yes. There are many choices. Here are a few:
The FDS console (Java app), also
http://phpldapadmin.sourceforge.net/
and
http://www.jxplorer.org/
there is a simple web app designed to support
user self service administration shipped with FDS too.

> How do I force FDS to ask Kerberos if a user's passwords is correct?

Hmm...this does not sound like SSO because in that case
the LDAP server would never see a Kerberos password.
First, FDS supports kerberized LDAP. But that's probably
not what you want (it allows SSO to the _LDAP_ service,
but not to any other kerberized service---that would be
done directly using kerberos without any LDAP involvement).

With the FDS PAM plugin I believe it is possible to support what
I call 'proxied kerberos' where the user supplies their kerberos 
password to a
regular basic auth client (e.g. web browser). This may be what
you are looking for. The password
is passed through as plain text (with ssl protection) to the
LDAP server which then gives it to PAM and finally to
GSSAPI for validation. This can be done with FDS
although it might require some work to get all the necessary parts
put together.

Note that if you only ever deploy 'proxied kerberos' (and no
real kerberized services) then there's
really little point because basic auth to the ldap service would be
much easier to configure and use, and would be just as secure.

More information about the 389-users mailing list