Single Sign On

Christopher Chan christopher.chan at bradbury.edu.hk
Tue Sep 21 12:58:17 UTC 2010 

>>> I've been watching "FreeIPA" on fedora:
>>> http://freeipa.org/page/Downloads
>>> I'm considering using Fedora and FreeIPA.
>> If you like to have to reinstall/upgrade every six months or so, be my
>> guest.
> 
> Hmm.. that doesn't sound like fun!

Nope. Unless you have infrastructure to perform automatic 
upgrades/installation (I had a pxe env when I was managing a few score 
servers) and setups conducive to such automation.


>>
>>> It's a little overwhelming to me right now, but I would like to
>>> eventually grasp all of it.
>>>
>> I would like to get it completely working.
>>
> 
> Thank you Christopher.  Do you upgrade to each Ubuntu? Or do you stay 
> with the LTS's?  You have Kerberos?, LDAP?, what file system are you 
> using and what permissions are you using?

I only have one server setup with Ubuntu and it runs Hardy and the squid 
mentioned in my previous post. The desktops are mostly Windows and some 
  Mac OS X desktops. I, of course, use an Ubuntu desktop although I was 
previously using OpenSolaris. With Windows desktops, then of course I 
have an Active Directory env so you can guess where Kerberos and LDAP 
come into play. No need for FreeIPA due to Active Directory. Samba is 
used for file serving on OpenSolaris boxes using ZFS and ZFS' NFSv4 Acls 
which are pretty much identical to NTFS acls.


> 
> Do you have radius involved?

Yes. I do have radius involved. Handles authentication for the 
wireless-n network.


> 
> Can you tell me about your setup?

Active Directory. Everything plugs into it as necessary. Just missing 
the squid part at the moment. 800+ users, 300+ client boxes.


> 
> I work for a restaurant with about 70 employees, roughly 20 of them 
> require user accounts.  Eventually all 70 people will have accounts, but 
> for now only the managers/co-owners do.  We just switched from a one 
> account Windows box that automatically logged on to a multi-user LTSP 
> setup with 4 clients right now but several more are in the pipeline.
> 
> Currently, the only things they have accounts for are to access 
> filesystem and email.  Eventually though, they will be logging into a 
> web content manager to update our website (Joomla at this time, maybe 
> Drupal), point-of-sale system (OpenBravoPOS maybe), ERP type program 
> (OpenBravo ERP maybe), hopefully atleast.

OOoohh, nice. I have a side project for my sister with Drupal, UberCart, 
UberPOS.


> 
> I do plan on following PCI-DSS compliance when deployment happens; which 
> means (among many things) that we'll have to change our passwords every 
> 90 days.. I haven't told anyone about this yet because I'm already the 
> bad guy because I gave them all logins and passwords and they don't have 
> the auto-logged in shared account.  I have to ease them into this with 
> baby-steps.  I'm not a bad guy, but once we get used to logging in with 
> our accounts individually first, we'll go the next step to changing 
> passwords every 90 days (also the password history can't be
> redundant for the past 4 passwords).

Ouch. That particular draconian password policy was collectively shot 
down by all schools over here with respects to the shared systems that 
all schools use and you bet locally it will be ignored.


> 
> If there are going to be atleast 5 systems that will need to login too 
> in the future, and password changes happening every 90 days.. it's going 
> to be a disaster without SSO. I want to get SSO to work before I adhere 
> to PCI-DSS, so people don't hate me forever.

Oh, you certainly want that...when I started here, I had over three 
usernames and their associated passwords to remember as well as the kids 
/teachers due to the way the previous admin had done things. Needless to 
say, I quickly cut down on the number of usernames the kids/teachers had 
to remember.



> 
> I worked in a computer oriented place prior, and we had systems with 
> different accounts and different password changing intervals, it was a 
> headache to keep up with it, but it wasn't necessarily a disaster, 

Okay...for you and me yes.


> mainly because people were more patient with the computers and there was 
> a dedicated help-desk.  I think after I left they adopted a SSO system, 
> atleast there was talk about it on the horizon when I was still there.

SSO rules. When it works.


> 
> I'm afraid/anxious to even jump into testing it.  I'm such a wimp.  We 
> did use kerberos in my old job and getting used to tokens was a little 
> weird!  (but fun in the dorky sense)

Just make sure your stuff are Kerberos enabled after you get the 
Kerberos/LDAP sorted out. Over here, Windows does it for me for IE and 
file sharing so on the client side + Frontmotion Firefox so I am really 
just needing to plug squid into things.

More information about the ubuntu-users mailing list