Hello, I realize it's a bit late for posting more FC5 wish-list entries, but I'll try any way in case Santa is still listening. I've been researching Linux user-management and authentication in enterprise environments for a few months. I'm quite disappointed by the lack of integration between the various components, which effectively makes it very hard to provide a single authentication for intranet users. This isn't specific to Fedora: no Linux distro I know of provides a decent solution to this very common problem (at least, common to any site with 10 or more users). My current environment looks roughly like this: - OpenLDAP to store user's information and authentication data; - nss_ldap to let all clients share user information; - Samba with LDAP backend; - Heimdal's KDC, configured with the LDAP backend. Heimdal can use NT password hashes as kerberos authentication info. (MIT's kerberos does not yet come with it, but I've read Novell contributed code some time ago); - pam_krb5 to obtain Kerberos tickets at login time; - mod_auth_kerb to perform SPNEGO with Apache; - hacked Firefox configuration on all clients to enable negotiate-auth for https; What works: - Use intranet pages with Konqueror and Firefox from Fedora and Gentoo clients. - I can manually request a ticket on MacOS X and use it with Firefox. Safari is supposed to work, but it doesn't, for reasons I can't explain. What's missing: - I can't get anything to work for Windows 2000 and XP clients. That would require more integration between Samba and Heimdal, and perhaps full ADS support. Hopefully Samba 4 will solve this. - Some web applications want their own user database (notably Bugzilla, Mailman and MoinMoin); - Most web applications use their own cookie-based authentication method (SquirrelMail, Bugzilla, Mailman...); - I couldn't get password-less IMAP to work with courier-imap because of limited SASL support. Maybe I'd be more lucky with cyrus-imap, but it doesn't support Maildirs, so I can't switch; - NFSv4 with GSSAPI authentication. Many patches from CITI are still missing in the kernel and in userland. I found it extremely difficult to get reliable NFS operation with NFSv4 (but it was two months ago, the situation may have improved in the meantime); - Integrated management tools. I've currently settled with a combination of phpLdapAdmin, ldapvi and smb-ldaptools, all of which arn't exactly as simple and quick as traditional UNIX tools (useradd, passwd, vipw...); Oh, Santa, please bring me an FC5 with single-signon out of the box! I promise I'll be a good boy and help fixing bugs. -- // Bernardo Innocenti - Develer S.r.l., R&D dept. \X/ http://www.develer.com/ -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
