Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
ESOE Development
+ new post
Home
About this group
Join this group
"True Single Sign On" for Unix-based OS
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   2 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Nakkapt Boonsri  
View profile  
 More options Apr 17, 3:04 am
From: Nakkapt Boonsri <nhtg...@googlemail.com>
Date: Thu, 16 Apr 2009 19:04:33 +0200
Local: Fri, Apr 17 2009 3:04 am
Subject: "True Single Sign On" for Unix-based OS
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi,
Just to ensure what I understand at this moment. The cool feature like
"True Single Sign On" which automatically authenticate user after login
to Windows OS by Active Directory, is still not implemented for the
Unix-based OS authenticated using LDAP. Am I right? (I haven't tested it
yet, just read the sourcecode)

If it's so, is it hard to implement this feature und Unix-based OS?
In Windows OS, ESOE get logged-in user information from Windows-Session
and validate it against Active Directory.
As I know the Unix-based OSs use PAM to authenticate against LDAP but
I'm still have not quite sure how OS keep per LDAP logged-in user
information & how ESOE retrieves that user information, to validate it
against LDAP.

regards,
Nakkapat

--
Nakkapat Boonsri
-
Südstr. 152
74072 Heilbronn
Germany
-
email : nhtg...@gmail.com
tel.: +49(0)176/6110-4890


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Shaun Mangelsdorf  
View profile  
 More options Apr 17, 7:39 am
From: Shaun Mangelsdorf <s.mangelsd...@gmail.com>
Date: Fri, 17 Apr 2009 07:39:47 +1000
Local: Fri, Apr 17 2009 7:39 am
Subject: Re: [esoe-dev] "True Single Sign On" for Unix-based OS
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Hi,

> Just to ensure what I understand at this moment. The cool feature like
> "True Single Sign On" which automatically authenticate user after login
> to Windows OS by Active Directory, is still not implemented for the
> Unix-based OS authenticated using LDAP. Am I right? (I haven't tested it
> yet, just read the sourcecode)

It's not quite true to say that it doesn't support Unix-based OS, because it
is platform agnostic. Authentication is achieved using a Kerberos ticket
which is issued by Active Directory.

> If it's so, is it hard to implement this feature und Unix-based OS?
> In Windows OS, ESOE get logged-in user information from Windows-Session
> and validate it against Active Directory.
> As I know the Unix-based OSs use PAM to authenticate against LDAP but
> I'm still have not quite sure how OS keep per LDAP logged-in user
> information & how ESOE retrieves that user information, to validate it
> against LDAP.

LDAP authentication, at least in the context of ESOE, is simple
username/password verification. Storing the state would just be saving your
username and password, which ESOE still wouldn't be able to get at
automatically. (If it were able to retrieve this data from your OS, I would
consider that a gaping security hole.)

The authentication method we use for "True" SSO is called SPNEGO, and we use
the Kerberos variant of this method (as opposed to NTLM).

People have had some success by installing krb5 and configuring
/etc/krb5.conf to authenticate against AD.. though we haven't documented
this procedure yet.

Regards,
Shaun Mangelsdorf


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google