[Date Prev][Date Next] [Chronological] [Thread] [Top]

single sign on



I am interested in the feasibility of basing a single sign on LDAP.

We have a bunch of password realms on campus and I would like to cut them down
some if I can.  Administrative types use NT 4 and will use Windows 2000.  We
have UNIX systems.  We also Novell 5, Oracle, and VMS.

I might be able to handle Oracle and VMS if I export from LDAP to Kerberos, I
guess.  We don't use Kerberos, but are considering it.  Since LDAP and Kerberos
are open, I expect I could write something to sync Kerberos from LDAP, under
the assumption that LDAP was the master of passwords.  Maybe this is backwards
in the case of Kerberos security, but I was assuming that LDAP would be the
master store of passwords.

Kerberos might handle UNIX (I like this better than NIS) and Oracle and VMS,
which is certainly a good start.

I have read that Microsoft, bless their non-monopolistic hearts, had deigned to
be Kerberos servers, but will not interoperate as anybody else's Kerberos
client.  That means Kerberos will not help the NT situation, unless I program
the LDAP->Kerberos copy on NT and have the NT box be the Kerberos server.  NT
is a total mystery to me; I have no idea how to handle that.

I have seen in iPlanet that they have some sort of NT synchronizer and a
Sun-only NIS solution among their packages.  The NIS part might be moot, if I
do the work of dealing with Kerberos.

Novell, also, seems to be out in the cold.  Their software is, like NT,
unwilling to interoperate.

I have looked into the OpenLDAP FAQ, and maybe I have missed stuff, but it
looks like none of this sort of thing is documented on the site.

Does anyone offer, free or otherwise, password synchronizing solutions (one way
sync is just fine with me, I would just as soon everybody had to use LDAP to
change their passwords) for:

LDAP to	NT 4
	Windows 2000
	UNIX passwd
	Kerberos
	Novell Netware 5

If nobody has anything in those realms, I guess I may have to get iPlanet, to
get the NT synchronizer, and develop something for Kerberos by my own devices,
which should cover everything but Novell.  I listed UNIX passwd above, since
that might be a model for Kerberos, and might be a short term help since we
have not yet stepped to Kerberos.