Yes and no. Not completly natively but in theory yes. Kerberos is the original SSO solution and it works very well but webapps don't always play nice with existing authentication soulutions. Since kerberos 5 is part of freeipa you have a chance to get it workin if they play nice with apaches autentication mechanisims.
There is a apache module for kerberos auth that works well two notes about it turn on credential caching because it significantly reduces the load on the kerberos server and keep in mind that internet explorer leaves native kerberos on (you won't get prompted for a user name or password if you hve a valid kerberos ticket) but firefox turns it off by default and I'm not sure about crome. In other words if you leave the default setting in firefox it will use basic auth (clear text password unless you use ssl) to interact with apache and subsequently kerberos. This is a wonderfull way to make a secure authentication mechanisim insecure if you don't use ssl. That said I know for a fact track does work well with kerberos auth. One warning apache has an ldap authentication module as well, avoid it like the plage unless you like to launch denial of service atacks agianst your own servers. The ldap auth module will query your ldap servers every time a user accesses. A file or cgi on the server, and by file I mean a page with 5 images will query your ldap server at least 6 times every time you access it. The worst part about the ldap auth module in apache is it doesn't ever logout its connectiont to the ldap server as far as I can tell so its a recipie for a sourcerers aprentice syndrome dos atack because of filehandle limitations and the exponential number of connections it opens. Essentiaaly the apache ldap auth module is responsible for many of the claims that cetrrailize auth on linux and unix crash often. On May 3, 2012 5:39 AM, "cee1" <fykc...@gmail.com> wrote: > Hi all, > > We have a round of web services(mail, JIRA, trac etc), each has its > own account database. We are seeking for a SSO solution, thus users > need only to login once and can then access all web services. > > Does FreeIPA support it gracefully? > > > > -- > Regards, > > - cee1 > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users