Single sign-on infrastructure (FC5 wish)
Bernardo Innocenti
bernie at develer.com
Sat Jun 18 05:26:47 UTC 2005
Hello,
I realize it's a bit late for posting more FC5 wish-list
entries, but I'll try any way in case Santa is still
listening.
I've been researching Linux user-management and
authentication in enterprise environments for a few
months.
I'm quite disappointed by the lack of integration between
the various components, which effectively makes it very
hard to provide a single authentication for intranet users.
This isn't specific to Fedora: no Linux distro I know of
provides a decent solution to this very common problem
(at least, common to any site with 10 or more users).
My current environment looks roughly like this:
- OpenLDAP to store user's information and authentication
data;
- nss_ldap to let all clients share user information;
- Samba with LDAP backend;
- Heimdal's KDC, configured with the LDAP backend.
Heimdal can use NT password hashes as kerberos
authentication info.
(MIT's kerberos does not yet come with it, but I've
read Novell contributed code some time ago);
- pam_krb5 to obtain Kerberos tickets at login time;
- mod_auth_kerb to perform SPNEGO with Apache;
- hacked Firefox configuration on all clients to
enable negotiate-auth for https;
What works:
- Use intranet pages with Konqueror and Firefox from
Fedora and Gentoo clients.
- I can manually request a ticket on MacOS X and use
it with Firefox. Safari is supposed to work, but
it doesn't, for reasons I can't explain.
What's missing:
- I can't get anything to work for Windows 2000 and XP
clients. That would require more integration between
Samba and Heimdal, and perhaps full ADS support.
Hopefully Samba 4 will solve this.
- Some web applications want their own user database
(notably Bugzilla, Mailman and MoinMoin);
- Most web applications use their own cookie-based
authentication method (SquirrelMail, Bugzilla,
Mailman...);
- I couldn't get password-less IMAP to work with
courier-imap because of limited SASL support.
Maybe I'd be more lucky with cyrus-imap, but it
doesn't support Maildirs, so I can't switch;
- NFSv4 with GSSAPI authentication. Many patches from
CITI are still missing in the kernel and in userland.
I found it extremely difficult to get reliable NFS
operation with NFSv4 (but it was two months ago, the
situation may have improved in the meantime);
- Integrated management tools. I've currently settled
with a combination of phpLdapAdmin, ldapvi and
smb-ldaptools, all of which arn't exactly as simple
and quick as traditional UNIX tools (useradd, passwd,
vipw...);
Oh, Santa, please bring me an FC5 with single-signon out
of the box! I promise I'll be a good boy and help fixing
bugs.
--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/
More information about the fedora-devel-list
mailing list