[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSO possible with web apps?





--On Wednesday, April 30, 2003 1:47 PM -0700 Howard Chu <hyc@highlandsun.com> wrote:

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
jmarquart@planalytics.com

You might consider Kerberos - SASL - on the openldap authentication.

Kerberos is certainly an appropriate solution, but I don't think it works too well for this through SASL. As has already been pointed out on this thread, there are two separate layers of authentication involved - first, the browser to the web server, and second, the web server to the application, on behalf of the browser.

To do this with Kerberos requires the use of forwardable tickets, and I
don't believe SASL/GSSAPI provides any way to request forwardable tickets.

No matter what approach you use, the web server must maintain a cache of
users' credentials to be handed off to each of the target applications.
This is a pain to implement with typical Apache servers since Apache uses
a separate process for every HTTP request. You can't just create some
state info in one process and re-use it automatically, because your next
request will most likely be handled by a different process. If you're
using perl, there are some nice Session management modules that use
shared memory to overcome this problem. With EmbPerl this detail is
handled transparently.

The problem being discussed here is one of web server design, and has
little to do with OpenLDAP. Further discussion belongs in some other
forum, one dedicated to web application design issues.

I'll give you one hint for free - this is easier to do with cookies than
with any other approach.

You may be interested in looking at Stanford's solution at:

http://webauthv3.stanford.edu/

It implements a WebKDC for Kerberos, among other useful features. It also has the capability to use SASL/GSSAPI into OpenLDAP. The product listed there today is Beta, tomorrow is the official release date of the production Webauth product.

--Quanah


-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html