On Mon, Oct 30, 2006 at 12:09:41PM +0200, Avi Kivity wrote: > > I looked at openldap, but it had separate schemas for cifs and unix. An LDAP entry can have several objectClass-es. The samba and unix schemas are different but use the same attribute for the user's password so you'll only have one password for both methods. Note that LDAP will only solve part of the problem. It allows you to centralize user information but your users will still need to enter their passwords as often as before. You'll need Kerberos to have SSO. > Can you describe your solution? Does it work for the other services? I work mostly on web-apps so I can only comment on WebSSO solutions. Lemonldap[1] is usable (but a pain in the a$$ to get working). I'm looking at Vulture[2] these days which seems to have more readable code. Both of these work the same way, using Apache as a reverse proxy between the user and the web-apps. - User tries to load an app in his browser - Lemonldap or Vulture catch his request and redirect him to an authentification page - User enters a username and a password. These are checked against an LDAP database. - Lemonldap or Vulture then add an Authorization header to the HTTP request and send it on its way. - User no longer needs to authentify himself for any of the web-apps. This requires that the web-apps be modified to use the Authorization header to identify the user. These changes range from 'trivial' to 'impossible', depending on the apps themselves. [1] http://lemonldap.sourceforge.net/ [2] http://vulture.open-source.fr/wiki/ Emmanuel -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list