Hi,
> Just to ensure what I understand at this moment. The cool feature like
> "True Single Sign On" which automatically authenticate user after login
> to Windows OS by Active Directory, is still not implemented for the
> Unix-based OS authenticated using LDAP. Am I right? (I haven't tested it
> yet, just read the sourcecode)
It's not quite true to say that it doesn't support Unix-based OS, because it
is platform agnostic. Authentication is achieved using a Kerberos ticket
which is issued by Active Directory.
> If it's so, is it hard to implement this feature und Unix-based OS?
> In Windows OS, ESOE get logged-in user information from Windows-Session
> and validate it against Active Directory.
> As I know the Unix-based OSs use PAM to authenticate against LDAP but
> I'm still have not quite sure how OS keep per LDAP logged-in user
> information & how ESOE retrieves that user information, to validate it
> against LDAP.
LDAP authentication, at least in the context of ESOE, is simple
username/password verification. Storing the state would just be saving your
username and password, which ESOE still wouldn't be able to get at
automatically. (If it were able to retrieve this data from your OS, I would
consider that a gaping security hole.)
The authentication method we use for "True" SSO is called SPNEGO, and we use
the Kerberos variant of this method (as opposed to NTLM).
People have had some success by installing krb5 and configuring
/etc/krb5.conf to authenticate against AD.. though we haven't documented
this procedure yet.
Regards,
Shaun Mangelsdorf
|
