Single Sign-On help
 

Hi to all.


I would like to setup Linux to use a Single Sign-On authentication process for all areas where authentication is used. I do not want to maintain 2+ user and password databases for my authentication.

I need to know what is recommended for a Sigle Sigh-On for say... Apache, Squid, SAMBA, and Linux itself?

Thanx guys and gals

:cool: :cool: :cool:

" I would like to setup Linux to use a Single Sign-On authentication process for all areas where authentication is used. I do not want to maintain 2+ user and password databases for my authentication."

Single sign on means that you maintain a password database that grants access to applications/processesses that the single sign on is priveledged to access.

If you don't want to maintain the database, then you can't do single sign on for very long. If you were to maintain the database/server then you would be using LDAP as an authentication point. If you are in a windows environment, you would setup samba/ldap authentication to the PDC(your linux box).

Samba/CIFS is the lan protocol used for filesharing with windows machines. LDAP is what controls access priveledges similar to active directory for windows. Apache is what serves web pages. Squid is what cache's web pages to conserve bandwidth and filter content. The only relation between them would be Webmin administration. Other than that, they have nothing to do with the other.

Ok. Would I still need to create two users when I create a user for Samba.

This is what I want to prevent. I want to create one user and password that will be able to access my Linux server, connect to my Samba shares, use my Squid authentication onto the internet and authenticate to Apache for access to certain web content in a local intranet web site.

I need to create one user account per user in the company.

You can use PAM, which is the standard linux MD5 shadow password file. Just adduser MonkeyHo.

Samba can use PAM to authenticate users. You can set the same username and password for squid authentication if you wish.

Squid can also use PAM, but you would need to configure the proxy port number for each station. Unless you don't bother with authentication and do transparent squid proxy caching(it doesn't hurt anything to cache). Squid routing is controlled by routing ipness, not by a login name. You have to specify which class C or IP gets to have the internet by IP only.

And if you want to authenticate to a web page, you can surely do that, again with PAM. I don't know why you would want to do that, but that's your business.

And so, you can have your user login to a web page/samba/PAM with the same password as they all use PAM. The routing of internet web pages is not though- controlled by login, but by location(IP). The iptables/shorewall configuration on your proxy server/firewall cannot be dynamically configured depending on who logs into a client box that has nothing to do with it. That's not what proxy servers do.

You can set up rules for authentication to proxy, but that again is done by location since you have to type the l/p into every browser you want to give access too. And so it's a moot issue since you can just block their IP or Class.

You said 'Just adduser MonkeyHo'

Is that an example?

Yes, as root pick a name.. user, for instance

adduser user

This can also be done via linuxconf or webmin or whathaveyou.

For samba, connecting to a remote (NT) server, does this mean that the entry in the fstab doesn't need a password defined if the user is a legitamate logged on linux username?

eg:

//server/share /mnt/share smbfs auto,username=user 0 0

rather than:

//server/share /mnt/share smbfs auto,username=user,password=password 0 0

Dave