are you using Fedora in a production environment?
Emmanuel Seyman
emmanuel.seyman at club-internet.fr
Mon Oct 30 15:03:54 UTC 2006
On Mon, Oct 30, 2006 at 12:09:41PM +0200, Avi Kivity wrote:
>
> I looked at openldap, but it had separate schemas for cifs and unix.
An LDAP entry can have several objectClass-es.
The samba and unix schemas are different but use the same attribute
for the user's password so you'll only have one password for both
methods.
Note that LDAP will only solve part of the problem. It allows you to
centralize user information but your users will still need to enter
their passwords as often as before. You'll need Kerberos to have SSO.
> Can you describe your solution? Does it work for the other services?
I work mostly on web-apps so I can only comment on WebSSO solutions.
Lemonldap[1] is usable (but a pain in the a$$ to get working).
I'm looking at Vulture[2] these days which seems to have more readable code.
Both of these work the same way, using Apache as a reverse proxy between
the user and the web-apps.
- User tries to load an app in his browser
- Lemonldap or Vulture catch his request and redirect him to an
authentification page
- User enters a username and a password. These are checked against an LDAP
database.
- Lemonldap or Vulture then add an Authorization header to the HTTP request
and send it on its way.
- User no longer needs to authentify himself for any of the web-apps.
This requires that the web-apps be modified to use the Authorization header
to identify the user. These changes range from 'trivial' to 'impossible',
depending on the apps themselves.
[1] http://lemonldap.sourceforge.net/
[2] http://vulture.open-source.fr/wiki/
Emmanuel
More information about the fedora-devel-list
mailing list