Single sign-on infrastructure (FC5 wish)

Bernardo Innocenti bernie at develer.com
Sat Jun 18 05:26:47 UTC 2005 

Hello,

I realize it's a bit late for posting more FC5 wish-list
entries, but I'll try any way in case Santa is still
listening.

I've been researching Linux user-management and
authentication in enterprise environments for a few
months.

I'm quite disappointed by the lack of integration between
the various components, which effectively makes it very
hard to provide a single authentication for intranet users.

This isn't specific to Fedora: no Linux distro I know of
provides a decent solution to this very common problem
(at least, common to any site with 10 or more users).

My current environment looks roughly like this:

 - OpenLDAP to store user's information and authentication
   data;

 - nss_ldap to let all clients share user information;

 - Samba with LDAP backend;

 - Heimdal's KDC, configured with the LDAP backend.
   Heimdal can use NT password hashes as kerberos
   authentication info.
   (MIT's kerberos does not yet come with it, but I've
   read Novell contributed code some time ago);

 - pam_krb5 to obtain Kerberos tickets at login time;

 - mod_auth_kerb to perform SPNEGO with Apache;

 - hacked Firefox configuration on all clients to
   enable negotiate-auth for https;

What works:

 - Use intranet pages with Konqueror and Firefox from
   Fedora and Gentoo clients.

 - I can manually request a ticket on MacOS X and use
   it with Firefox.  Safari is supposed to work, but
   it doesn't, for reasons I can't explain.


What's missing:

 - I can't get anything to work for Windows 2000 and XP
   clients. That would require more integration between
   Samba and Heimdal, and perhaps full ADS support.
   Hopefully Samba 4 will solve this.

 - Some web applications want their own user database
   (notably Bugzilla, Mailman and MoinMoin);

 - Most web applications use their own cookie-based
   authentication method (SquirrelMail, Bugzilla,
   Mailman...);

 - I couldn't get password-less IMAP to work with
   courier-imap because of limited SASL support.
   Maybe I'd be more lucky with cyrus-imap, but it
   doesn't support Maildirs, so I can't switch;

 - NFSv4 with GSSAPI authentication.  Many patches from
   CITI are still missing in the kernel and in userland.
   I found it extremely difficult to get reliable NFS
   operation with NFSv4 (but it was two months ago, the
   situation may have improved in the meantime);

 - Integrated management tools.  I've currently settled
   with a combination of phpLdapAdmin, ldapvi and
   smb-ldaptools, all of which arn't exactly as simple
   and quick as traditional UNIX tools (useradd, passwd,
   vipw...);


Oh, Santa, please bring me an FC5 with single-signon out
of the box!  I promise I'll be a good boy and help fixing
bugs.

-- 
  // Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/  http://www.develer.com/

More information about the fedora-devel-list mailing list