Can we build a sso solution by openLDAP only? or SSO need at least openLDAP + Kerberos (or something like?) If openLDAP is OK, how can we get the credential of current user to be authentication by other application through LDAP API? Is there any C++ api?
Asked
Active
Viewed 1,447 times
1
-
Which operating systems and applications will require SSO? – Mike Pennington Jun 28 '11 at 03:26
-
A SOA middleware in Linux. can SSH or Appache did this? – Da Ma Jun 28 '11 at 03:38
-
You're asking a couple of different questions here... Please see: http://serverfault.com/questions/145948/sso-solution-and-centralized-user-mgmt-for-about-10-30-ubuntu-machines (for the bulk of your question) and http://stackoverflow.com/questions/2670640/ldap-c-api-choice and http://stackoverflow.com/questions/1961012/user-management-api for the last. – Shog9 Jun 28 '11 at 04:23
-
@Shog9 , thank you very much. It's also useful to me. – Da Ma Jun 28 '11 at 05:36
1 Answers
0
If by SSO you mean one password at the beginning of the day, and none until you leave, LDAP can't easily do that alone. It can help you consolidate passwords, so you only have to remember one (which is nice), but you still have to enter it repeatedly unless you do a lot of engineeering on top of that.
Kerberos can actually do SSO. The caveat in my opinion, is that applications need to support it specially to some degree.
As far as LDAP storing credentials for kerberos, I'm not sure that that's a win. I suspect it would have to store the credentials in cleartext in order to be compatible with kerberos (and it makes me nervous to have a service that is network accessible and contains cleartext passwords). It isn't clear to me how this is better than a kerberos database storing the password.
Hopefully this helps. Also, my experience with kerberos is from the sidelines; I've read _a_lot_ about it, but never actually used it.
Slartibartfast
- 1,694
- 9
- 8