[Fedora-directory-users] Single Sign On

Gordon May gordon.may at gmail.com
Tue Nov 14 15:25:27 UTC 2006 

David,

Thanks for all the info. When I say SSO I mean true SSO. User enters
name and password once and has access to everything for the rest of
the day. What I was thinking of was to use Kerberos as the password
database and FDS as the user info database (ie name, address, company,
etc) and thats why FDS will need to ask Kerberos if a user supplied
the proper credentials. I dont want any passwords stored in FDS that
way when a user changes there password it only needs to be done in one
place.

Last night I setup Kerberos and FDS SASL and everything seems to be
working fine. I also tried setting up the PAM Passthrough Plugin but
that failed. I might give it another try tonight. Its starting to look
like it might be more trouble then its worth though.

I've played with Phpldapadmin in the past but it not exactly the tool
I'm looking for. I'm looking for something which can manage Kerberos
and LDAP at the same time. I havent been able to find any such tool so
I guess i'll either have to customize phpldapadmin or start from
scratch.

Gordon



On 11/14/06, David Boreham <david_list at boreham.org> wrote:
> Gordon May wrote:
>
> > I was wondering if anyone can help me with setting up a single sign on
> > system. I want my users to be able to sign on once and have access to
> > all areas of our site. Ie Forum, wiki, Trac, SVN, etc. From what I've
> > read it looks like Kerberos will be needed for this.
>
> Hmm. What exactly do you mean by 'single sign on' ?
> Do you mean this : user approaches workstation, enters username and
> password. User then uses all the above apps for the remainder of
> the day without entering their username or password again.
>
> Or this: user uses various applications, supplying each with _the_same_
> username
> and password ? When they want to change their password, they only need
> change it in one place.
>
> If you are looking for the former then this is SSO, and it does
> require Kerberos. (In theory you can use other technologies
> such as smart cards, thumb readers, retinal scanners etc
> but for most folk today SSO means kerberos).
>
> The reason I'm not sure if you are looking for 'real' SSO
> is that in your list of applications above you include quite a
> few where the client is a web browser. This would mean
> that you'd need kerberos support in the browser and also
> in the web server. This is hard to find today. Microsoft
> products are the only widely deployed solution that I
> am aware of.
>
> If all you're after is to have one password and a central
> authentication service for multiple applications then that
> doesn't need Kerberos, just LDAP. In that case you just
> need to LDAP enable all your apps (web servers etc).
>
> > Is there a way to do this without Kerberos?
>
> If you want SSO then no.
>
> > Is there a single tool that I can use to manage user passwords and
> > FDS? Ie User account creation, deletion, updating, password resets, etc.
>
> Yes. There are many choices. Here are a few:
> The FDS console (Java app), also
> http://phpldapadmin.sourceforge.net/
> and
> http://www.jxplorer.org/
> there is a simple web app designed to support
> user self service administration shipped with FDS too.
>
> > How do I force FDS to ask Kerberos if a user's passwords is correct?
>
> Hmm...this does not sound like SSO because in that case
> the LDAP server would never see a Kerberos password.
> First, FDS supports kerberized LDAP. But that's probably
> not what you want (it allows SSO to the _LDAP_ service,
> but not to any other kerberized service---that would be
> done directly using kerberos without any LDAP involvement).
>
> With the FDS PAM plugin I believe it is possible to support what
> I call 'proxied kerberos' where the user supplies their kerberos
> password to a
> regular basic auth client (e.g. web browser). This may be what
> you are looking for. The password
> is passed through as plain text (with ssl protection) to the
> LDAP server which then gives it to PAM and finally to
> GSSAPI for validation. This can be done with FDS
> although it might require some work to get all the necessary parts
> put together.
>
> Note that if you only ever deploy 'proxied kerberos' (and no
> real kerberized services) then there's
> really little point because basic auth to the ldap service would be
> much easier to configure and use, and would be just as secure.
>
>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the 389-users mailing list