Re: Single sign-on infrastructure (FC5 wish)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bernardo Innocenti wrote:


- Heimdal's KDC, configured with the LDAP backend.
  Heimdal can use NT password hashes as kerberos
  authentication info.
As of right now, krb5_workstation can authenticate Linux against AD in exactly the same manner as Windows 2000, XP and 2003 clients - using Kerberos over TCP for long requests, and weird MS specific encryption types. All the stuff that MS did to Kerberos is now doable on Unix. 


- hacked Firefox configuration on all clients to
  enable negotiate-auth for https;
Surprised firefox doesn't support kerberos through GSSAPI or similar as is. I thought the version in RHEL 4 did - there was a big Kerberos push for RHEL 4 - are you sure? 


- I can't get anything to work for Windows 2000 and XP
  clients. That would require more integration between
  Samba and Heimdal, and perhaps full ADS support.
  Hopefully Samba 4 will solve this.

Yep.


- Some web applications want their own user database
  (notably Bugzilla, Mailman and MoinMoin);

A krb5 authing, LDAP using Bugzilla would be great.


- Most web applications use their own cookie-based
  authentication method (SquirrelMail, Bugzilla,
  Mailman...);



- I couldn't get password-less IMAP to work with
  courier-imap because of limited SASL support.

Dovecot supports krb5 IIRC.


- NFSv4 with GSSAPI authentication.  Many patches from
  CITI are still missing in the kernel and in userland.
  I found it extremely difficult to get reliable NFS
  operation with NFSv4 (but it was two months ago, the
  situation may have improved in the meantime);
Haven't played with this. Have you tried AFS? It's a neater protocol and has a few large implementations (eg, CSFB) using it on Red Hat like systems. 


- Integrated management tools.  I've currently settled
  with a combination of phpLdapAdmin, ldapvi and
  smb-ldaptools, all of which arn't exactly as simple
  and quick as traditional UNIX tools (useradd, passwd,
  vipw...);
jXplorer from CA is Open Source, good, and may well build on a free java stack. It's already on the FC5future area of the wiki. 

Mike

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux