Re: [MACS-Dev] Configuring MACS....

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> [...]  I have been unsuccessfully looking for a
> Deployment Guide / FAQs pertaining to MACS SSO. I would be thankful if
> you could point me to some resources.

There is some good information at http://macs.sf.net/docs/  The 
technical white paper would be especially enlightening.  I'm afraid 
there aren't any very detailed HOWTOs, yet.

> As desired, here is a brief description of my actual network:
> [...]

I'm going to describe what I understand your network to be:

1. For logging into the windows desktop, folks use their normal NT 
account on normal NT domain servers.

2. For reading mail, some folks use their normal NT account to access 
exchange, while others use a LDAP-based account to access qmail.

3. For accessing your custom web apps, folks use a custom MySQL-based 
account.

4. For printing, some folks use a standalone NT server with local 
accounts, while others use a standalone Samba server, also with local 
accounts.

So there are 5 places where account information is stored: NT domain 
server, LDAP, MySQL, NT print server, and Samba print server.  All these 
repositories need to be kept in sync.  And there's no one place for 
users to manage their account(s) -- eg, change passwords, update 
addresses, etc.

The goal is to have a single place to manage account information, and to 
enable SSO as much as possible.  Centralized management reduces the 
burden on you, the admin, while SSO reduces the burden on users.

> I hope this gives a brief idea of my network to you and would help you in
> solving my query.

The first step is to figure out if you need more than one user 
repository.  Do all your users have NT accounts, for example, or LDAP 
accounts?  If so, then all your authentication can happen against NT, or 
LDAP.  If, for example, some webapp users have no accounts except in 
MySQL, we'll probably need to deploy support for multiple repositories.

This is what I meant when I asked, "Where is the user information 
stored?"  Is any one source of user information enough?  Once we know 
which source(s) we need to support, we can get that set up.

The second step is to add support for actual applications.  The 
Apache-based webapps are probably easiest.  See 
http://macs.sf.net/docs/apxs/ for details on configuring the Apache 
module.  (And feel free to post specific questions here!)  You can 
probably have true, fully transparent SSO between all your webapps 
without too much hassle.

Setting up other applications is complicated by the fact that we've not 
built support yet for everything we'd like to.  Qmail, for example, 
would require an auth module.

Also, depending on the details of  how your distribute the user 
accounts, some applications would not need to go through MACS at first. 
  The NT print server, for example, might access the NT Domain accounts 
directly.  However, this creates a problem with user account mobility.

I would suggest you use LDAP for your main account repository.  Replace 
NT domain controllers with Samba, and authenticate desktop, Exchange, 
and printers against these.  For qmail, you could use LDAP directly, or 
write the small auth module to use MACS.

I'm getting long-winded, so I'll stop now.  Let us know if you can make 
any progress!

Cheers,

mds