[tclug-list] Question/Advice on Single Sign On

Tue May 27 18:02:04 CDT 2014

There is nothing per se wrong with the current LDAP authentication I have
just for identity and authentication.  Some security folks believe having
the hash stored in your LDAP tree is in itself a security problem but I'm
not so worried about that.

There are two problems though I am trying to solve and am looking for an
over all architecture.

Problem 1) NFSv4 is more secure with kerberos, and since I use NFS
currently without kerberos I'd like to use NFSv4 with Kerberos.  That would
mean though I need to integrate LDAP and Kerberos together to keep the same
level of authenication as today.

Problem 2) Samba4 as I am reading does not support Linux OpenLDAP/Kerberos
as it's system for authentication due to incompatibilities in the way AD
was implemented.  So to get single sign on across multiple OS's I believe
I've read that having AD Samba4 is the way to support that which would
again require me to move away from just having LDAP storing the hash in the
tree.

I am also looking at web enabled applications that can use the single sign
on recommendation to perform identity and authentication.

On Tue, May 27, 2014 at 5:35 PM, Munir Nassar <tclug at beitsahour.net> wrote:

> what is wrong with LDAP authentication? in other words: what problem
> are you trying to solve?
>
> On Tue, May 27, 2014 at 5:28 PM, John Frisk <john.a.frisk at gmail.com>
> wrote:
> > Hello All,
> > I currently have an older ldap style installation for single sign on
> where I
> > use nss_ldapd for client authentication and identity. (i.e. password
> stored
> > in hash directly in slapd)
> >
> > I am looking at doing either one of two styles in the future:
> > 1) Set up samba4 as an AD DC and keep the users for single sign on in
> there
> >
> > 2) Set up ldap/kerberos installation on ubuntu to have an updated
> > environment from above.
> >
> > My question is what are people using these days?  Obviously the Active
> > Directory solution is probably what a lot of enterprises are doing, but I
> > have mostly Linux VM's and machines with only one Win7 installation. What
> > recommendations do you guys have?  Also, what is easier for web
> technologies
> > to use for web-enabled apps?
> >
> > _______________________________________________
> > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> > tclug-list at mn-linux.org
> > http://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20140527/786be109/attachment.html>