SSO (Re: [Fsfe-uk] An ignorant question?)

[Alex Hudson]

On Thu, Jun 12, 2003 at 02:50:14PM +0100, Simon Waters wrote:
> I mostly use NIS, those wanting to authenticate to NT seem to have no
> trouble (I sent a newbie the how-to URL and he came back happy a litle
> while later without further questions) so what your saying is LDAP
> single sign-on is a pain.

Not really. My point about LDAP was more a point about the current state of 
Free Software - LDAP is currently the protocol people are doing the most
work on (Kolab, for example, is a good example of a modern Free Software
system in this environment). I don't really see NIS as a solution to 
single sign-on (doesn't it just share account information? I'm thinking
about systems where the auth is directly integrated into services - I'm
not sure anyone is really working on NIS in that regard are they?).

Single sign-on isn't really about distributed authentication - even 
winbind can do that. I'm thinking more about how you integrate auth and
the various permissions a user has into all the apps you are using, and
being able to have other machines recognise it.

> > Flexibility. The ability to use a network share without having to
> > mount it.
> 
> I don't do unplanned file system sharing

I didn't say anything about unplanned! If they're authenticated to access
a share, they are surely accessing something "planned". 

> Just stick it in the automounter map if it is important enough ;-)

You can do, but it's still a pain - you have to update all your maps 
whenever the server name changes, for example. The obvious way of doing
it would be a login script, but again, there's no inbuilt support for those
either.

> Well you were complaining about the absence of things which work quite
> well, but I think you mean the specific case of LDAP.

I'm not sure I am. I certainly don't think NIS is a solution either, and
although it's probably workable I don't get the feeling it is a long-term
option.

> Similarly I agree Kerberos is a dark art in free software for much the
> same reason, although I am assured by the Kerberos crowd that once
> you've mastered the basics it is easy. I had the same view of DNS a few
> years back, now I can't see what peoples problem with DNS is ;-)

You're probably right. I think we will very much find ourselves following
the Microsoft route on this one though - Kerberos + DNS + LDAP does make
a great deal of sense. 

It really needs to be built into the core of distros though. It's a lot 
harder than it currently needs to be. I don't think it's beyond the Free
Software world, either. People often say that Free Software developers are
unable to co-ordinate and move in one direction - GNOME HIG is a 
fantastic case against that argument. I get the feeling that GNOME (well,
Ximian to be honest) are also going to be the ones pushing single sign on 
within the GNU environment eventually also.

Cheers,

Alex.