[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSO possible with web apps?

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of

> You might consider Kerberos - SASL - on the openldap authentication.

Kerberos is certainly an appropriate solution, but I don't think it works too
well for this through SASL. As has already been pointed out on this thread,
there are two separate layers of authentication involved - first, the browser
to the web server, and second, the web server to the application, on behalf
of the browser.

To do this with Kerberos requires the use of forwardable tickets, and I don't
believe SASL/GSSAPI provides any way to request forwardable tickets.

No matter what approach you use, the web server must maintain a cache of
users' credentials to be handed off to each of the target applications. This
is a pain to implement with typical Apache servers since Apache uses a
separate process for every HTTP request. You can't just create some state
info in one process and re-use it automatically, because your next request
will most likely be handled by a different process. If you're using perl,
there are some nice Session management modules that use shared memory to
overcome this problem. With EmbPerl this detail is handled transparently.

The problem being discussed here is one of web server design, and has little
to do with OpenLDAP. Further discussion belongs in some other forum, one
dedicated to web application design issues.

I'll give you one hint for free - this is easier to do with cookies than with
any other approach.

> Then - using the same kerberos keys - a kerberos enabled
> browser (I believe netscape can be kerberos enabled) - would be able to
> authenticate web pages to the kerberos server.

> I don't know how well this works in practice - or for your
> environment - but it
> is the path my previous employer was following - and that I
> am planning on
> heading down.
> -john

> Milan Andric <mandric@EECS.Berkeley.EDU> on 04/30/2003 12:39:28 PM

> To:   Bob Boyken <bob@boyken.org>
> cc:   openldap-software@OpenLDAP.org (bcc: John J. der Schalla
>       Marquart/Planalytics)
> Subject:  Re: SSO possible with web apps?
> Bob,
> in http authentication there is something called realms that
> helps with
> this problem. i don't know how it applies to various
> applications though,
> and is probably independent of openldap?
> Milan
> On Tue, 29 Apr 2003, Bob Boyken wrote:
> > Date: Tue, 29 Apr 2003 11:47:45 -0500
> > From: Bob Boyken <bob@boyken.org>
> > To: openldap-software@OpenLDAP.org
> > Subject: SSO possible with web apps?
> >
> > Forgive me if this has been previously addressed.  I am new
> to this list and
> fairly new to OpenLDAP.
> >
> > Here is my situation.  In our company, we have multiple
> open source web
> applications that we use.  Some are web apps that are under
> active development
> by others (like Metadot and Mantis), and some we have
> developed in-house in PHP
> or Perl.  Each is capable of using an LDAP server for
> authentication.  The web
> apps are running on 3 different Apache servers.  We're not
> running any J2EE or
> anything like that.  Just simple mod_perl and mod_php apps.
> >
> > However, each user has to retype his user_id and password for each
> application.  My boss would like to have things set up in
> such a way that when a
> user logs into one application and is authenticated against
> the common LDAP
> server, they won't need to retype their user_id and password
> for any of the
> other applications.
> >
> > My statement to him was: I DON'T KNOW HOW TO DO THAT.  My
> question to you: Is
> this even possible?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support