[katello-devel] Design of SSO

[Marek Hulan]

On Monday 04 of March 2013 09:32:07 Bryan Kearney wrote:
> On 03/04/2013 08:17 AM, Tom McKay wrote:
> >> I thought there are possible setups where customer have users in
> >> 
> >> >Katello
> >> >internal DB without LDAP and also uses Foreman. They would be forced
> >> >to
> >> >migrate to LDAP in order to use SSO then? Katello seemed to me as
> >> >natural
> >> >choice because it's already primary source of users for Katello and
> >> >Foreman.
> >> >There can exist Foreman-only users but they have no access to Katello
> >> >then
> >> >however all Katello users have access to Foreman right? By forcing
> >> >LDAP user
> >> >database, SSO could be used even without Katello by other services
> >> >however we
> >> >would also duplicate this logic which is already in Katello (and will
> >> >stay
> >> >there as fallback).
> > 
> > I think LDAP has to be an available option from the very start, even if
> > it's a requirement that you can't mix-and-match (ie. both or neither must
> > use LDAP).
> i think we need the following priority driven order of development:
> 
> 1) DB backed user storage, credentials checked agains tthat.
> 2) LDAP backed user storage, credentials checked against that.
> 3) User identity taken from Kerberos ticket

Ok, this is not how it currently works so should I take it as a part of SSO US 
or we'll solve it in future? Currently Katello asks DB xor LDAP based on 
configuration. If we agree that SSO (new app) will use Katello to authenticate, 
this will be the way how login will work when US is finished.

> 
> How the Communication is done, and what contraints exist on Foreman and
> Katello may be different. However.. that should be the order.
> 
> Eventually, all users and groups needs to come from LDAP.
> -- kb
> 
> 
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
-- 
Marek