[Freeipa-users] Does FreeIPA support web services SSO gracefully?

Paul Robert Marino prmarino1 at gmail.com
Thu May 3 16:16:32 UTC 2012 

Yes and no.
Not completly natively but in theory yes. Kerberos is the original SSO
solution and it works very well but webapps don't always play nice with
existing authentication soulutions.
Since kerberos 5 is part of freeipa you have a chance to get it workin if
they play nice with apaches autentication mechanisims.

There is a apache module for kerberos auth that works well two notes about
it turn on credential caching because it significantly reduces the load on
the kerberos server and keep in mind that internet explorer leaves native
kerberos on (you won't get prompted for a user name or password if you hve
a valid kerberos ticket) but firefox turns it off by default and I'm not
sure about crome. In other words if you leave the default setting in
firefox it will use basic auth (clear text password unless you use ssl) to
interact with apache and subsequently kerberos. This is a wonderfull way to
make a secure authentication mechanisim insecure if you don't use ssl.
That said I know for a fact track does work well with kerberos auth.

One warning apache has an ldap authentication module as well, avoid it like
the plage unless you like to launch denial of service atacks agianst your
own servers.
The ldap auth module will query your ldap servers every time a user
accesses. A file or cgi on the server, and by file I mean a page with 5
images will query your ldap server at least 6 times every time you access
it. The worst part about the ldap auth module in apache is it doesn't ever
logout its connectiont to the ldap server as far as I can tell so its a
recipie for a sourcerers aprentice syndrome dos atack because of filehandle
limitations and the exponential number of connections it opens. Essentiaaly
the apache ldap auth module is responsible for many of the claims that
cetrrailize auth on linux and unix crash often.
On May 3, 2012 5:39 AM, "cee1" <fykcee1 at gmail.com> wrote:

> Hi all,
>
> We have a round of web services(mail, JIRA, trac etc), each has its
> own account database. We are seeking for a SSO solution, thus users
> need only to login once and can then access all web services.
>
> Does FreeIPA support it gracefully?
>
>
>
> --
> Regards,
>
> - cee1
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120503/63c047e3/attachment.htm>

More information about the Freeipa-users mailing list