Single sign-on infrastructure (FC5 wish)
Mike MacCana
mikem at cyber.com.au
Sat Jun 18 06:56:40 UTC 2005
Bernardo Innocenti wrote:
> - Heimdal's KDC, configured with the LDAP backend.
> Heimdal can use NT password hashes as kerberos
> authentication info.
>
>
As of right now, krb5_workstation can authenticate Linux against AD in
exactly the same manner as Windows 2000, XP and 2003 clients - using
Kerberos over TCP for long requests, and weird MS specific encryption
types. All the stuff that MS did to Kerberos is now doable on Unix.
> - hacked Firefox configuration on all clients to
> enable negotiate-auth for https;
>
>
Surprised firefox doesn't support kerberos through GSSAPI or similar as
is. I thought the version in RHEL 4 did - there was a big Kerberos push
for RHEL 4 - are you sure?
> - I can't get anything to work for Windows 2000 and XP
> clients. That would require more integration between
> Samba and Heimdal, and perhaps full ADS support.
> Hopefully Samba 4 will solve this.
>
>
Yep.
> - Some web applications want their own user database
> (notably Bugzilla, Mailman and MoinMoin);
>
>
A krb5 authing, LDAP using Bugzilla would be great.
> - Most web applications use their own cookie-based
> authentication method (SquirrelMail, Bugzilla,
> Mailman...);
>
>
> - I couldn't get password-less IMAP to work with
> courier-imap because of limited SASL support.
>
>
Dovecot supports krb5 IIRC.
> - NFSv4 with GSSAPI authentication. Many patches from
> CITI are still missing in the kernel and in userland.
> I found it extremely difficult to get reliable NFS
> operation with NFSv4 (but it was two months ago, the
> situation may have improved in the meantime);
>
>
Haven't played with this. Have you tried AFS? It's a neater protocol and
has a few large implementations (eg, CSFB) using it on Red Hat like systems.
> - Integrated management tools. I've currently settled
> with a combination of phpLdapAdmin, ldapvi and
> smb-ldaptools, all of which arn't exactly as simple
> and quick as traditional UNIX tools (useradd, passwd,
> vipw...);
>
>
jXplorer from CA is Open Source, good, and may well build on a free java
stack. It's already on the FC5future area of the wiki.
Mike
More information about the fedora-devel-list
mailing list