Gordon May wrote: > I was wondering if anyone can help me with setting up a single sign on > system. I want my users to be able to sign on once and have access to > all areas of our site. Ie Forum, wiki, Trac, SVN, etc. From what I've > read it looks like Kerberos will be needed for this. Hmm. What exactly do you mean by 'single sign on' ? Do you mean this : user approaches workstation, enters username and password. User then uses all the above apps for the remainder of the day without entering their username or password again. Or this: user uses various applications, supplying each with _the_same_ username and password ? When they want to change their password, they only need change it in one place. If you are looking for the former then this is SSO, and it does require Kerberos. (In theory you can use other technologies such as smart cards, thumb readers, retinal scanners etc but for most folk today SSO means kerberos). The reason I'm not sure if you are looking for 'real' SSO is that in your list of applications above you include quite a few where the client is a web browser. This would mean that you'd need kerberos support in the browser and also in the web server. This is hard to find today. Microsoft products are the only widely deployed solution that I am aware of. If all you're after is to have one password and a central authentication service for multiple applications then that doesn't need Kerberos, just LDAP. In that case you just need to LDAP enable all your apps (web servers etc). > Is there a way to do this without Kerberos? If you want SSO then no. > Is there a single tool that I can use to manage user passwords and > FDS? Ie User account creation, deletion, updating, password resets, etc. Yes. There are many choices. Here are a few: The FDS console (Java app), also http://phpldapadmin.sourceforge.net/ and http://www.jxplorer.org/ there is a simple web app designed to support user self service administration shipped with FDS too. > How do I force FDS to ask Kerberos if a user's passwords is correct? Hmm...this does not sound like SSO because in that case the LDAP server would never see a Kerberos password. First, FDS supports kerberized LDAP. But that's probably not what you want (it allows SSO to the _LDAP_ service, but not to any other kerberized service---that would be done directly using kerberos without any LDAP involvement). With the FDS PAM plugin I believe it is possible to support what I call 'proxied kerberos' where the user supplies their kerberos password to a regular basic auth client (e.g. web browser). This may be what you are looking for. The password is passed through as plain text (with ssl protection) to the LDAP server which then gives it to PAM and finally to GSSAPI for validation. This can be done with FDS although it might require some work to get all the necessary parts put together. Note that if you only ever deploy 'proxied kerberos' (and no real kerberized services) then there's really little point because basic auth to the ldap service would be much easier to configure and use, and would be just as secure.
