Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Single-signon (Subversion, Apache etc)



Hi Greg,

I think you're a bit mixed up.

> So, what do people use?
> 
> * Active Directory
> * Apache Directory http://directory.apache.org/
> * Kerberos, LDAP, NTP, DNS and Samba

Active Directory is the Microsoft solution for SSO, and it incorporates an
LDAP server, Kerberos and DNS.  So it's not as if you choose to use either
LDAP or AD, since AD has some sort of LDAP baked right in.

The Apache Directory server is just another LDAP server implementation.
It's a competitor to OpenLDAP, 389 Directory Server (the successor to
Fedora DS which was the successor to Red Hat DS which was derived from
Netscape DS), etc.  Novell and Sun both have LDAP servers too.  There are
others.

Samba is just a file serving product and doesn't have anything to do with
SSO per se.  You can just as easily drop in NFS/AFS/AFP/etc depending on
what your requirements are.

Generally speaking, most of the SSO products use an LDAP server to store
user account data and then use Kerberos to do the actual authentication.
You can put the user's password in the LDAP server, and then your services
would all auth against LDAP.  There are pros and cons to that approach.

Kerberos lets your user auth once and get a "ticket granting ticket" that
lets them auth against other services without re-entering their password.
It's heavily dependent on the machines having the correct time, so an NTP
server is a common component in SSO products.

DNS is also frequently bundled in, since Kerberos is finicky about
hostnames and reverse DNS, and you can publish information about your LDAP
and Kerberos servers in DNS for the clients to discover.

I evaluated a few SSO solutions about a year ago, and it seemed like some
variation of the above services was how most of them were implemented.

> * freeIPA (http://freeipa.org/page/Main_Page) which packages Fedora,
> Fedora Directory Srver, Kerberos, NTP, DNS

This is what I ended up running.  More in another email.

-ben

--
it is important to use your hands; this is what distinguishes you from a
cow or a computer operator.                                  <paul rand>






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org