Single sign-on infrastructure (FC5 wish)

Bernardo Innocenti bernie at develer.com
Sat Jun 18 07:44:32 UTC 2005 

Mike MacCana wrote:
> Bernardo Innocenti wrote:
> 
>> - Heimdal's KDC, configured with the LDAP backend.
>>   Heimdal can use NT password hashes as kerberos
>>   authentication info.
>>  
>>
> As of right now, krb5_workstation can authenticate Linux against AD in
> exactly the same manner as Windows 2000, XP and 2003 clients - using
> Kerberos over TCP for long requests, and weird MS specific encryption
> types. All the stuff that MS did to Kerberos is now doable on Unix.

The thing is, Samba does not yet support acting as an ADS DC,
and I don't have (or want) a W2K domain controller in my
network :-)

Being able to use sambaSamAccount information in Heimdal
is very useful: otherwise I'd have to create separate
krb5 principals for all users and using hacky scripts to
keep passwords in sync between POSIX, Samba and Kerberos.


>> - hacked Firefox configuration on all clients to
>>   enable negotiate-auth for https;
>>
> Surprised firefox doesn't support kerberos through GSSAPI or similar as
> is. I thought the version in RHEL 4 did - there was a big Kerberos push
> for RHEL 4 - are you sure?

I didn't rebuild Firefox, I just hacked prefs.js to set:

 user_pref("network.negotiate-auth.delegation-uris", "http://, https://");
 user_pref("network.negotiate-auth.trusted-uris", "http://, https://");

IIRC, Mozilla shipped with FC3 doesn't support it.
Only Firefox does.  But who's still using Mozilla anyway?


>> - I can't get anything to work for Windows 2000 and XP
>>   clients. That would require more integration between
>>   Samba and Heimdal, and perhaps full ADS support.
>>   Hopefully Samba 4 will solve this.
>>
> Yep.

Well, I fear Samba 4 will try to act as an LDAP + KDC
to fulfill AD requirements, but without actually using
the real LDAP and Kerberos servers as backends.


>> - Some web applications want their own user database
>>   (notably Bugzilla, Mailman and MoinMoin);
>>  
>>
> A krb5 authing, LDAP using Bugzilla would be great.

New versions of Bugzilla can use LDAP for authentication,
but users must still be created in the MySQL database.
(BTW, it doesn't even work automatically once LDAP is
enabled).

 
>> - I couldn't get password-less IMAP to work with
>>   courier-imap because of limited SASL support.
>>  
>>
> Dovecot supports krb5 IIRC.

Last time I checked it, Dovecot was very simple
and lacked many features I needed.  I shall try
it again, thanks!


>> - NFSv4 with GSSAPI authentication.  Many patches from
>>   CITI are still missing in the kernel and in userland.
>>   I found it extremely difficult to get reliable NFS
>>   operation with NFSv4 (but it was two months ago, the
>>   situation may have improved in the meantime);
>>  
>>
> Haven't played with this. Have you tried AFS? It's a neater protocol and
> has a few large implementations (eg, CSFB) using it on Red Hat like
> systems.

I've played with Arla, but got scared by the apparent
complexity of the server-side installation.
A kernel-based server is also missing, which could make
it too slow as an NFS replacement.

These are, of course, just my assumpions.  Reality may
differ :-)


>> - Integrated management tools.  I've currently settled
>>   with a combination of phpLdapAdmin, ldapvi and
>>   smb-ldaptools, all of which arn't exactly as simple
>>   and quick as traditional UNIX tools (useradd, passwd,
>>   vipw...);
>>
> jXplorer from CA is Open Source, good, and may well build on a free java
> stack. It's already on the FC5future area of the wiki.

Thank you!  Right now I can't get the installer to work
with neither GCJ's VM and Sun's Java 1.5.1 for x86_64.

I'll try harder because I badly needed a GUI replacement
for phpLdapAdmin.  Using web interfaces is always very
slow and uncomfortable, even when they did every effort
to make them more usable.

-- 
  // Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/  http://www.develer.com/

More information about the devel mailing list