Menu
▾
▴
[MACS-Dev] Re: Configuration of MACS Single Sign-On...
|
From: Mario D.S. <md...@ma...> - 2003-10-29 05:18:22
|
Anand, No worries about the delayed reply -- we've been severely time-limited=20= on our end. It sounds like you've been successful in integrating 3/5=20 of your original applications so far: everything except for qmail and=20 Exchange. Congratulations! You're the first to do anything meaningful=20= with MACS with so little help! It says much about your ability, and=20 hopefully a little about MACS' maturity. =3D) To answer your question, what you're asking for is single-sign-on=20 between Windows and the web. With MACS, this involves capturing the=20 session key at system login and reusing it from a web browser. I'm not=20= familiar with the details of the Windows login mechanics, but this=20 sounds like it could only be accomplished with a customized agent on=20 the Windows machine. Either a browser plugin that retrieves the=20 username and password used to log in to Windows somehow and logs in=20 automatically (if that's possible!) or a system plugin that (for=20 example) records the session key appropriately in the browser's cookie=20= file. Unfortunately, we don't have access to a full Windows development=20 environment at the moment. If you are willing and able to hack this=20 up, we'd be pleased and grateful to offer all the help we can. Cheers! mds On Sunday, Oct 26, 2003, at 23:52 US/Eastern, Anand Sharma wrote: > Dear Mr. Santana, > > I am sorry for not replying earlier as I was on a week's leave. Since = I > resumed, I have been working on one of the suggestions given by you: > >> I would suggest you use LDAP for your main account repository. =20 >> Replace NT >> domain controllers with Samba, and authenticate desktop, Exchange, = and >> printers against these. For qmail, you could use LDAP directly, or=20= >> write >> the small auth module to use MACS. > > Accordingly, I have configured Samba as a PDC using LDAP as a backend=20= > in > a test setup. Let me briefly describe this test set-up: > > 1. System-1: Windows 2000 Professional client - 1No. > > 2. System-2: Linux 7.3 Server 1 No. - configured with OpenLDAP=20 > 2.0.23-4, > MACS-Beta-0.8, Perl Modules (DBI, DBD::mysql, IPC::MM, mod_perl, > Apache::Cookie, Class::MethodMaker, FreezeThaw Net::Server WeakRef, > Sys::HostIP, Net::Daemon, IO::Multiplex, HTML::Mason, > PJORDAN/Exception-1.4.tar.gz, BAM/String-Unique-0.1.tar.gz, > TELS/math/Math-BigInt-1.63.tar.gz, TELS/math/Math-String-1.21.tar.gz, > Math::String, Authen::Smb, IO::Socket::SSL, Net::LDAP, Frontier::RPC2, > SOAP::Transport::HTTP, as detailed in the INSTALL file of=20 > macs-beta-0.8), > Samba 3.0, Apache 1.3.28 with mod_ssl 2.8.15-1.3.28, mod_perl 1.28,=20 > MySql > 3.23.58-1.73, OpenSSL 0.9.7b. > > 3. System-3: Linux 7.3, Apache 1.3.28, TomCat 3.3.1 running an = in-house > developed J2EE application. > > - As per your guidance, I have been able to successfully configure the > System-1 as part of a test domain - A. (The Domain Controller is > System-2). > > - I have also configured a DNS server (bind 9.2.0-8) on the System-2=20= > for > this domain-A > > - I am successfully able to open the MACS website (running on = System-2) > from System-1 and log-in using the default "macs/macs" user-name / > password combination. > > - I have also configured the web-based J2EE application (on System-3)=20= > to > authenticate against the OpenLDAP configured on System-2. > > Status so far: > > Step-1: I can now login from the Windows 2000 Professional desktop > (System-1) and be authenticated via System-2 (Windows NT Domain =96 = Samba > concepts). > > Step-2: After thus logging-in on System-1, I can next - also log-in to=20= > my > web-based application on System-3 and be authenticated via System-2. > > Issues: > > I would like to achieve the login processes as per Steps 1 and 2 = above, > in one single combined step. i.e. Can I log-in into my web based > application automatically - when I login into my desktop? > > Could you kindly guide me how to configure MACS to achieve the same. > > Best Regards, > Anand Sharma. > > > ______________________________________________ > > >>> [...] I have been unsuccessfully looking for a Deployment Guide /=20= >>> FAQs > pertaining to MACS SSO. I would be thankful if you could point me to=20= > some > resources. > > There is some good information at <http://macs.sf.net/docs/> > http://macs.sf.net/docs/ The technical white paper would be = especially > enlightening. I'm afraid there aren't any very detailed HOWTOs, yet. > >>> As desired, here is a brief description of my actual network: [...] > > I'm going to describe what I understand your network to be: > > 1. For logging into the windows desktop, folks use their normal NT > account > on normal NT domain servers. > 2. For reading mail, some folks use their normal NT account to access > exchange, while others use a LDAP-based account to access qmail. > 3. For accessing your custom web apps, folks use a custom MySQL-based > account. > 4. For printing, some folks use a standalone NT server with local > accounts, > while others use a standalone Samba server, also with local accounts. > > So there are 5 places where account information is stored: NT domain > server, > LDAP, MySQL, NT print server, and Samba print server. All these > repositories need to be kept in sync. And there's no one place for=20 > users > to > manage their account(s) -- eg, change passwords, update addresses, = etc. > > The goal is to have a single place to manage account information, and=20= > to > enable SSO as much as possible. Centralized management reduces the > burden > on you, the admin, while SSO reduces the burden on users. > >>> I hope this gives a brief idea of my network to you and would help=20= >>> you in > solving my query. > > The first step is to figure out if you need more than one user > repository. > Do all your users have NT accounts, for example, or LDAP accounts? If > so, > then all your authentication can happen against NT, or LDAP. If, for > example, some webapp users have no accounts except in MySQL, we'll > probably > need to deploy support for multiple repositories. > > This is what I meant when I asked, "Where is the user information > stored?" > Is any one source of user information enough? Once we know which > source(s) > we need to support, we can get that set up. > > The second step is to add support for actual applications. The > Apache-based > webapps are probably easiest. See <http://macs.sf.net/docs/apxs/> > http://macs.sf.net/docs/apxs/ for details on configuring the Apache > module. > (And feel free to post specific questions here!) You can probably = have > true, fully transparent SSO between all your webapps without too much > hassle. > > Setting up other applications is complicated by the fact that we've = not > built support yet for everything we'd like to. Qmail, for example,=20 > would > require an auth module. > > Also, depending on the details of how your distribute the user=20 > accounts, > some applications would not need to go through MACS at first. The NT > print > server, for example, might access the NT Domain accounts directly. > However, > this creates a problem with user account mobility. > > I would suggest you use LDAP for your main account repository. = Replace > NT > domain controllers with Samba, and authenticate desktop, Exchange, and > printers against these. For qmail, you could use LDAP directly, or=20 > write > the small auth module to use MACS. > > I'm getting long-winded, so I'll stop now. Let us know if you can = make > any > progress! > > Cheers, > > mds > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > <http://thinkgeek.com/sf> http://thinkgeek.com/sf > _______________________________________________ > MACS-Dev mailing list > <mailto:MAC...@li...> = MAC...@li... > <https://lists.sourceforge.net/lists/listinfo/macs-dev> > https://lists.sourceforge.net/lists/listinfo/macs-dev > > --=20 > http://www.fastmail.fm - Accessible with your email software > or over the web |
