[katello-devel] Design of SSO
Bryan Kearney
bkearney at redhat.com
Mon Mar 4 14:32:07 UTC 2013
On 03/04/2013 08:17 AM, Tom McKay wrote:
>> I thought there are possible setups where customer have users in
>> >Katello
>> >internal DB without LDAP and also uses Foreman. They would be forced
>> >to
>> >migrate to LDAP in order to use SSO then? Katello seemed to me as
>> >natural
>> >choice because it's already primary source of users for Katello and
>> >Foreman.
>> >There can exist Foreman-only users but they have no access to Katello
>> >then
>> >however all Katello users have access to Foreman right? By forcing
>> >LDAP user
>> >database, SSO could be used even without Katello by other services
>> >however we
>> >would also duplicate this logic which is already in Katello (and will
>> >stay
>> >there as fallback).
> I think LDAP has to be an available option from the very start, even if it's a requirement that you can't mix-and-match (ie. both or neither must use LDAP).
>
i think we need the following priority driven order of development:
1) DB backed user storage, credentials checked agains tthat.
2) LDAP backed user storage, credentials checked against that.
3) User identity taken from Kerberos ticket
How the Communication is done, and what contraints exist on Foreman and
Katello may be different. However.. that should be the order.
Eventually, all users and groups needs to come from LDAP.
-- kb
More information about the katello-devel
mailing list