[SATLUG] RE: kerberos
Justizin
justizin at siggraph.org
Fri Dec 1 14:24:12 CST 2006
On 12/1/06, David Kowis <dkowis at shlrm.org> wrote:
>
> In a huge community kerberos will help. It provides standard
> authentication mechanisms for any number of things. You'll have to do
> coding no matter what for applications that don't have kerberos support
> either optional or built in. But for a Single Sign on type thing
> kerberos will do well. Or if you need to authenticate over an unsafe medium.
>
Hm..
Looking at what Columbia does here:
http://www.columbia.edu/acis/sy/unixdev/tekiki/web-auth.html
I'll probably have to end up going this route. It already felt like I
should use kerberos, but maybe allow for direct LDAP auth with hashes
so that other apps can get to it. We also currently have something
sort of like WIND for all systems which comply with the login policy.
This ensures that people see everything ACM Legal wants them to before
having any sort of priveledged access to servers. Plone will probably
become the "de facto" login like Columbia's "WIND", and I know of some
people, the FSF being one, doing work to share login cookies and/or
sessions between Plone and other apps like MediaWiki.
I was hoping it wouldn't come to this - instead of choosing an
authentication solution, using everything possible, but I suppose once
you think about it, it makes sense.
It's probably not going to hurt my pocketbook to start getting to know
PAM, nsswitch, LDAP, and KRB5 better. ;)
--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
More information about the SATLUG
mailing list