LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-15-2010, 03:13 AM   #1
yasir453
LQ Newbie
 
Registered: Jan 2010
Posts: 27

Rep: Reputation: 15
Post single sign on


Dear Sir;
i want to discuss one thing,
currently we working in multiple authentication environment where each service like library server,web server,it help desk server and LMS require separate authentication system.
for this purpose we are using active directory and open LDAP.

Now we want to shift it on single sign on environment where user authenticate once and he/she can utilize all services.
Sir how it is possible and which authentication service can do it.currently i am studying open source directory structure.
 
Old 05-15-2010, 06:03 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

A kerberos server is what you need, along with kerberos enabled logins etc. OpenSSH can talk to kerberos, as can a lot of other stuff.

Active Directory uses (a modified?) version of kerberos, so you might already have the infrastructure in place.

Dave
 
Old 05-15-2010, 08:49 AM   #3
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,759

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
Or you could use LDAP, which many corporate environments use. In my opinion, it's more robust, since LDAP support is in a LOT of applications, OS'es, and devices. You can even integrate a single SUDO'ers file with LDAP.
 
Old 05-15-2010, 10:27 AM   #4
thecarpy
Member
 
Registered: Apr 2005
Location: France
Distribution: Debian Squeeeeze
Posts: 117

Rep: Reputation: 19
Quote:
Or you could use LDAP, which many corporate environments use. In my opinion, it's more robust, since LDAP support is in a LOT of applications, OS'es, and devices. You can even integrate a single SUDO'ers file with LDAP.
TB0ne, single sign-on means you authenticate once. LDAP cannot do that as such, you need a token system, where you authenticate and receive a token which automatically authenticates you from then on. Kerberos is a solution. Besides, AD can act as LDAP.

@yasir453, check this one out: http://www.wlug.org.nz/ActiveDirectoryKerberos

Last edited by thecarpy; 05-15-2010 at 10:28 AM.
 
Old 05-15-2010, 10:42 AM   #5
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,759

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
Quote:
Originally Posted by thecarpy View Post
TB0ne, single sign-on means you authenticate once. LDAP cannot do that as such, you need a token system, where you authenticate and receive a token which automatically authenticates you from then on. Kerberos is a solution. Besides, AD can act as LDAP.

@yasir453, check this one out: http://www.wlug.org.nz/ActiveDirectoryKerberos
Sorry, LDAP is very frequently used as a single sign-on system, and is used at such. At the past two (rather large) corporations I worked at, that was the ONLY method of sign-on, and handled everything, from printers to workstations, and pushed applications. LDAP can also include Kerberos back-ends, and tie in with other methods of authentication, too.
http://en.wikipedia.org/wiki/Lightwe...ccess_Protocol

Active Directory is Windows based:
http://en.wikipedia.org/wiki/Active_Directory

You CAN hook Linux/Unix boxes into AD, but it certainly doesn't work very well.
 
Old 05-15-2010, 10:57 AM   #6
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Sorry, LDAP is very frequently used as a single sign-on system, and is used at such. At the past two (rather large) corporations I worked at, that was the ONLY method of sign-on, and handled everything, from printers to workstations, and pushed applications. LDAP can also include Kerberos back-ends, and tie in with other methods of authentication, too.
http://en.wikipedia.org/wiki/Lightwe...ccess_Protocol

Active Directory is Windows based:
http://en.wikipedia.org/wiki/Active_Directory

You CAN hook Linux/Unix boxes into AD, but it certainly doesn't work very well.
LDAP alone cannot be used as single sign-on. LDAP is just a hierarchical database instead of a relational database. However if you configure LDAP with Kerberos, like it is done in Active Directory, then you are able to create a single sign-on system. Kerberos creates a ticket, which will work instead of an username and password combination. LDAP does not create such a ticket, therefore in environments where there is only ldap, you will always have to authenticate with your username and password over and over again.
 
1 members found this post helpful.
Old 05-15-2010, 11:34 AM   #7
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,759

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
Quote:
Originally Posted by Blue_Ice View Post
LDAP alone cannot be used as single sign-on. LDAP is just a hierarchical database instead of a relational database. However if you configure LDAP with Kerberos, like it is done in Active Directory, then you are able to create a single sign-on system. Kerberos creates a ticket, which will work instead of an username and password combination. LDAP does not create such a ticket, therefore in environments where there is only ldap, you will always have to authenticate with your username and password over and over again.
Yes, but I think the problem in this thread, is the difference between "authentication" and "authorization", at least in my mind.

LDAP with Kerberos back-end does both. LDAP alone can TELL another application (anything...login client, web page, etc.), what a given user is ALLOWED to access, but doesn't actually authenticate the user.
 
1 members found this post helpful.
Old 05-15-2010, 11:46 AM   #8
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Yes, but I think the problem in this thread, is the difference between "authentication" and "authorization", at least in my mind.

LDAP with Kerberos back-end does both. LDAP alone can TELL another application (anything...login client, web page, etc.), what a given user is ALLOWED to access, but doesn't actually authenticate the user.
I think the OP is pretty clear about what he wants. The subject of the thread clearly states single sign-on, which means log on once and you don't need to bother about anything any more. To accomplish this LDAP alone will not be sufficient. So he needs Kerberos as well. On linux this means you need a directory server combined with a kerberos implementation and on windows Active Directory.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Single Sign On for linux thanhdat Linux - Server 4 07-22-2009 04:14 AM
NIS or ??? for single sign on w/ AD DotHQ Linux - General 2 12-20-2006 04:01 PM
Single Sign-on Solution sunhui Linux - Software 1 07-14-2006 10:46 PM
need info on pam for single sign on bahadur Linux - Security 1 07-16-2004 09:01 AM
Single Sign-On help vvandam Linux - Security 6 07-21-2003 05:23 AM


All times are GMT -5. The time now is 01:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration