Try shibboleth.
--On December 12, 2007 4:32:41 PM -0500 [EMAIL PROTECTED] wrote:
Hallvard,
If I choose "windows integrated authentication", then I am providing
single sign-on experience only for windows users. I am envisioning a
client organization having offices in NYC, London and Tokyo. Each office
has complete autonomy in setting up their protected domains with
firewalls. In this environment, our product, developed as a client -
server architecture must be deployed and work with single sign-on
experience. What it means is that some protected domain in NYC office
will host the server and an authorized user with valid credential has
already logged in into his machine which is part of a protected domain
in a Tokyo office. Assuming that the domain controller in the Tokyo
office and the NYC office supports LDAP protocol (please note that I am
not committing to any operating system or directory server, so it could
be openLDAP or windows Active director or even a MAC open directory
server). To provide single sign-on experience for the authorized user of
the Tokyo office, the domain controller in Tokyo office, which
authenticated the user, must translate the user's credential into a
fully qualified LDAP credential and communicate it to the LDAP server in
NYC (acting as the primary domain controller for the whole
organization). Since the user for already authenticated by the DC in
Tokyo office, the NYC DC trusts it and consider the Tokyo user as
authenticated for accessing the serer in NYC and provides access for the
user. This is what I want to achieve with "single sign-on for LDAP".
Ramesh
-----Original Message-----
From: Hallvard Breien Furuseth [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 12, 2007 4:14 PM
To: Vaidyanathan, Ramesh
Cc: ldap@listserver.itd.umich.edu
Subject: Re: [ldap] Re: integrated authentication
Ramesh Vaidyanathan writes:
I wanted to elaborated a little more on my earliet message. Windows
supports single sign-on using a authentication mode called "Integrated
authentication", but it only works within a single domain and both the
client and server must be part of the domain. But if LDAP must support
such a feature, it has to work across domains and multiple firewalls,
so I am wondering if LDAP protocol supports such feature.
You are looking for the Kerberos <http://web.mit.edu/kerberos/> network
authentication protocol. It provides single sign-on. It's a separate
protocol from LDAP, but the LDAP Bind operation supports SASL (Simple
Authentication and Security Layer), and SASL supports Kerberos via the
GSS-API mechanism. I don't know much about either Kerberos or Windows
myself.
You are asking to compare apples and oranges though. Windows is an
operating system, LDAP is just a protocol. You need support for SASL
(and parts of Kerberos I presume) in the clients you want to use too.
A number of clients only know how to ask for password and DN when
you want to authenticate, then it doesn't help that the rest of your
system supports Kerberos.
For that matter, Windows' Active Directory is a sort of LDAP protocol
(except it breaks the standard in some ways) plus more.
--
Regards,
Hallvard
---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word
UNSUBSCRIBE as the SUBJECT of the message.
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
---
You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
