[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Single sign-on infrastructure (FC5 wish)
- From: Mike MacCana <mikem cyber com au>
- To: Development discussions related to Fedora Core <fedora-devel-list redhat com>
- Subject: Re: Single sign-on infrastructure (FC5 wish)
- Date: Sat, 18 Jun 2005 16:56:40 +1000
Bernardo Innocenti wrote:
- Heimdal's KDC, configured with the LDAP backend.
Heimdal can use NT password hashes as kerberos
authentication info.
As of right now, krb5_workstation can authenticate Linux against AD in
exactly the same manner as Windows 2000, XP and 2003 clients - using
Kerberos over TCP for long requests, and weird MS specific encryption
types. All the stuff that MS did to Kerberos is now doable on Unix.
- hacked Firefox configuration on all clients to
enable negotiate-auth for https;
Surprised firefox doesn't support kerberos through GSSAPI or similar as
is. I thought the version in RHEL 4 did - there was a big Kerberos push
for RHEL 4 - are you sure?
- I can't get anything to work for Windows 2000 and XP
clients. That would require more integration between
Samba and Heimdal, and perhaps full ADS support.
Hopefully Samba 4 will solve this.
Yep.
- Some web applications want their own user database
(notably Bugzilla, Mailman and MoinMoin);
A krb5 authing, LDAP using Bugzilla would be great.
- Most web applications use their own cookie-based
authentication method (SquirrelMail, Bugzilla,
Mailman...);
- I couldn't get password-less IMAP to work with
courier-imap because of limited SASL support.
Dovecot supports krb5 IIRC.
- NFSv4 with GSSAPI authentication. Many patches from
CITI are still missing in the kernel and in userland.
I found it extremely difficult to get reliable NFS
operation with NFSv4 (but it was two months ago, the
situation may have improved in the meantime);
Haven't played with this. Have you tried AFS? It's a neater protocol and
has a few large implementations (eg, CSFB) using it on Red Hat like systems.
- Integrated management tools. I've currently settled
with a combination of phpLdapAdmin, ldapvi and
smb-ldaptools, all of which arn't exactly as simple
and quick as traditional UNIX tools (useradd, passwd,
vipw...);
jXplorer from CA is Open Source, good, and may well build on a free java
stack. It's already on the FC5future area of the wiki.
Mike
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]