Message from discussion
"True Single Sign On" for Unix-based OS
Received: by 10.115.90.11 with SMTP id s11mr428441wal.20.1239917988196;
Thu, 16 Apr 2009 14:39:48 -0700 (PDT)
Return-Path: <s.mangelsd...@gmail.com>
Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.243])
by gmr-mx.google.com with ESMTP id k32si617768wah.2.2009.04.16.14.39.47;
Thu, 16 Apr 2009 14:39:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of s.mangelsd...@gmail.com designates 209.85.198.243 as permitted sender) client-ip=209.85.198.243;
Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of s.mangelsd...@gmail.com designates 209.85.198.243 as permitted sender) smtp.mail=s.mangelsd...@gmail.com; dkim=pass (test mode) header...@gmail.com
Received: by rv-out-0708.google.com with SMTP id k29so525790rvb.12
for <esoe-dev@googlegroups.com>; Thu, 16 Apr 2009 14:39:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:in-reply-to:references
:date:message-id:subject:from:to:content-type;
bh=04c4XmF8+AXQy7WLNhD0mCb7yvvPXDIgxDLPJxpJgpQ=;
b=R2pT271efeH0UUdSbfnt01/pRWBR+1kVCuQ9q+H1oa08oxr/CmUErXQq5M4hDBocsN
obEN2Eb0EYgfi5c4UiBb2cHuAN7ZHfyViiQ17mF+rBG4zyHVwV2YzynciA2HrVc1lljx
pelwTVX1OhZW1i1Pq7zlLl35LPyPU6GVKd8f0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
b=c+AKoU1kHtvUz4rPGhSjt2F/RV31EJrCfZZZpe97S4duRAiyHO9jhlhN2wXM7V0U78
Noc73LGS4r/aRmCGWSM/bGDWjV6DoKzAZ1LISq2kPi1gOAmiwj9QwyBJGwDFZl73QhVz
NntsRS38O2LEvrbYIGd+lw0zNmyI3jpKLmG5Q=
MIME-Version: 1.0
Received: by 10.140.139.4 with SMTP id m4mr910253rvd.213.1239917987119; Thu,
16 Apr 2009 14:39:47 -0700 (PDT)
In-Reply-To: <49E76521.9050603@gmail.com>
References: <49E76521.9050603@gmail.com>
Date: Fri, 17 Apr 2009 07:39:47 +1000
Message-ID: <90ad28f40904161439l5dfabb81hf02ae785232b91b5@mail.gmail.com>
Subject: Re: [esoe-dev] "True Single Sign On" for Unix-based OS
From: Shaun Mangelsdorf <s.mangelsd...@gmail.com>
To: esoe-dev@googlegroups.com
Content-Type: multipart/alternative; boundary=000e0cd22ab02c42d10467b2e7ad
--000e0cd22ab02c42d10467b2e7ad
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hi,
>
> Just to ensure what I understand at this moment. The cool feature like
> "True Single Sign On" which automatically authenticate user after login
> to Windows OS by Active Directory, is still not implemented for the
> Unix-based OS authenticated using LDAP. Am I right? (I haven't tested it
> yet, just read the sourcecode)
It's not quite true to say that it doesn't support Unix-based OS, because it
is platform agnostic. Authentication is achieved using a Kerberos ticket
which is issued by Active Directory.
> If it's so, is it hard to implement this feature und Unix-based OS?
> In Windows OS, ESOE get logged-in user information from Windows-Session
> and validate it against Active Directory.
> As I know the Unix-based OSs use PAM to authenticate against LDAP but
> I'm still have not quite sure how OS keep per LDAP logged-in user
> information & how ESOE retrieves that user information, to validate it
> against LDAP.
LDAP authentication, at least in the context of ESOE, is simple
username/password verification. Storing the state would just be saving your
username and password, which ESOE still wouldn't be able to get at
automatically. (If it were able to retrieve this data from your OS, I would
consider that a gaping security hole.)
The authentication method we use for "True" SSO is called SPNEGO, and we use
the Kerberos variant of this method (as opposed to NTLM).
People have had some success by installing krb5 and configuring
/etc/krb5.conf to authenticate against AD.. though we haven't documented
this procedure yet.
Regards,
Shaun Mangelsdorf
--000e0cd22ab02c42d10467b2e7ad
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi,<br><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>
Just to ensure what I understand at this moment. The cool feature like<br>
"True Single Sign On" which automatically authenticate user after=
login<br>
to Windows OS by Active Directory, is still not implemented for the<br>
Unix-based OS authenticated using LDAP. Am I right? (I haven't tested i=
t<br>
yet, just read the sourcecode)</blockquote><div><br></div><div>It's not=
quite true to say that it doesn't support Unix-based OS, because it is=
platform agnostic. Authentication is achieved using a Kerberos ticket whic=
h is issued by Active Directory.</div>
<div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex;">If it's so, is it hard to=
implement this feature und Unix-based OS?<br>
In Windows OS, ESOE get logged-in user information from Windows-Session<br>
and validate it against Active Directory.<br>
As I know the Unix-based OSs use PAM to authenticate against LDAP but<br>
I'm still have not quite sure how OS keep per LDAP logged-in user<br>
information & how ESOE retrieves that user information, to validate it<=
br>
against LDAP.</blockquote><div><br></div><div>LDAP authentication, at least=
in the context of ESOE, is simple username/password verification. Storing =
the state would just be saving your username and password, which ESOE still=
wouldn't be able to get at automatically. (If it were able to retrieve=
this data from your OS, I would consider that a gaping security hole.)</di=
v>
<div><br></div><div>The authentication method we use for "True" S=
SO is called SPNEGO, and we use the Kerberos variant of this method (as opp=
osed to NTLM).=A0</div><div><br></div><div>People have had some success by =
installing krb5 and configuring /etc/krb5.conf to authenticate against AD..=
though we haven't documented this procedure yet.</div>
<div><br></div><div><br></div><div>Regards,</div><div>Shaun Mangelsdorf</di=
v></div>
--000e0cd22ab02c42d10467b2e7ad--
|
