Single sign-on infrastructure (FC5 wish)

Mike MacCana mikem at cyber.com.au
Sat Jun 18 06:56:40 UTC 2005 

Bernardo Innocenti wrote:

> - Heimdal's KDC, configured with the LDAP backend.
>   Heimdal can use NT password hashes as kerberos
>   authentication info.
>  
>
As of right now, krb5_workstation can authenticate Linux against AD in 
exactly the same manner as Windows 2000, XP and 2003 clients - using 
Kerberos over TCP for long requests, and weird MS specific encryption 
types. All the stuff that MS did to Kerberos is now doable on Unix.

> - hacked Firefox configuration on all clients to
>   enable negotiate-auth for https;
>  
>
Surprised firefox doesn't support kerberos through GSSAPI or similar as 
is. I thought the version in RHEL 4 did - there was a big Kerberos push 
for RHEL 4 - are you sure?

> - I can't get anything to work for Windows 2000 and XP
>   clients. That would require more integration between
>   Samba and Heimdal, and perhaps full ADS support.
>   Hopefully Samba 4 will solve this.
>  
>
Yep.

> - Some web applications want their own user database
>   (notably Bugzilla, Mailman and MoinMoin);
>  
>
A krb5 authing, LDAP using Bugzilla would be great.

> - Most web applications use their own cookie-based
>   authentication method (SquirrelMail, Bugzilla,
>   Mailman...);
>  
>

> - I couldn't get password-less IMAP to work with
>   courier-imap because of limited SASL support.
>  
>
Dovecot supports krb5 IIRC.

> - NFSv4 with GSSAPI authentication.  Many patches from
>   CITI are still missing in the kernel and in userland.
>   I found it extremely difficult to get reliable NFS
>   operation with NFSv4 (but it was two months ago, the
>   situation may have improved in the meantime);
>  
>
Haven't played with this. Have you tried AFS? It's a neater protocol and 
has a few large implementations (eg, CSFB) using it on Red Hat like systems.

> - Integrated management tools.  I've currently settled
>   with a combination of phpLdapAdmin, ldapvi and
>   smb-ldaptools, all of which arn't exactly as simple
>   and quick as traditional UNIX tools (useradd, passwd,
>   vipw...);
>  
>
jXplorer from CA is Open Source, good, and may well build on a free java 
stack. It's already on the FC5future area of the wiki.

Mike

More information about the fedora-devel-list mailing list