Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Single-signon (Subversion, Apache etc)



Hi Rich,

> For years I've held out hope that someone would come up with a turnkey
> mechanism for deploying Kerberos/RADIUS/LDAP throughout a Linux distro
> but my hopes have not been realized, even with latest openSUSE et al.
...
> MIT Athena invented this technology a quarter century ago and I want it
> *now*.  Any success stories among y'all?

The set ups we ended up with at work don't exactly meet your requirements,
so this may not be very helpful to you, but it seems like there are a few
other people interested in the subject, so I thought I'd chime in.

I work at one of the research groups at HMS, and we have two separate
networks in place.  Our user network is approx. 150 linux and OS X desktops
and servers, and we ended up using Apple's Open Directory product for SSO.
We're authenticating user accounts, Apache (webmail, Subversion, Nagios, 
various other web apps), Dovecot, Sendmail and SSH against it.

I manage a much smaller development network of about <10 physical machines
and ~15 virtual machines, again running OS X and linux, and we went with
FreeIPA for that network.  The users on that network are almost all
external to Harvard, so we decided not to put them into our primary LDAP 
server.  We're mostly a Fedora/Red Hat/CentOS shop for linux, and FreeIPA
is pretty easy to get working in that environment.

A few random notes that come to mind:

Apple's product is built on OpenLDAP and FreeIPA is built on the 389
Directory Server (the evolution of the original Netscape Directory Server
that Red Hat bought a while back).  There is quite a bit more documentation
out there about integrating/customizing OpenLDAP for your environment than
there is for other LDAP servers.  You can find sample schemas for sharing
various data via OpenLDAP much more easily than the other servers I think.

For the most part, FreeIPA has been fine.  They weren't packaging it for
anything other than the latest Fedora when I set it up, and it's definitely
under heavy development, and that can be both a pro and a con.  In a larger
environment, I would probably be somewhat leery of it for that reason.

I implemented FreeIPA over the course of a couple weeks, and our senior
sysadmin rolled out the Apple OD solution over the course of a couple
months, so 6 months seems like it might be hedging on the long side to
build out a solution, but it also sounds like you have a more complex
environment than we have.

Unless you have a very homogenous environment where "the vendor product"
will work for everything (and it doesn't sound like that is the case), I
think you'll end up doing a fair bit of customization to make everything
work.

You might try the BBLISA list with your query; they tend to be more
hardcore sysadmins over there.

-b

--
the roots of education are bitter, but the fruit is sweet.
                                               <aristotle>






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org