Re: SSO (Re: [Fsfe-uk] An ignorant question?)

[Simon Waters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Hudson wrote:
> On Thu, 2003-06-12 at 15:53, Ramanan Selvaratnam wrote:
>
>>This thread is becoming very educative :-)
>
>
> Educative about my poor MTA skills. Simon took this offlist, I
> accidently brought it back on. My apologies Simon, not at all
> intentional (in fact, my pet hate, how ironic :)

I'm not bothered - I learnt LONG ago (and the hard way) about typing
things into computers you don't want other people to read.

Just wanted to get a better understanding what Alex was struggling with,
I'd assumed he mainly wanted to sort file storage stuff.

My last long soak in this stuff was bidding for consultancy work from a
big telco back when LDAP v3 was shiny and new (which was 1997
apparently, how time flies). All the big software vendors were saying we
will support LDAP, but it wasn't clear how (or even if) such a directory
structure would gel. They basically wanted to know what would happen,
and how much effort to put into it, for themselves, and also for their
consultancy clients. Alas we didn't win the bidding rounds, so I don't
know if they ever found out.

At the time I think people saw LDAP as providing that network aware
"registry", as well as supplying SSO basic authentication, and it isn't
obvious where to draw the line between what belongs in the directory and
what belongs in some other configuration store.

However it rapidly becomes apparent (as anyone running registry watchers
on Windows will know) that general purpose registries become pretty big,
and active, configuration databases, which raises serious practical
issues as well as theoretical ones. Certainly isn't obvious that LDAP is
suited to the task, it might be a useful query protocol for certain
situations. Similarly the application (or it's integrator to the
directory) has to decide what settings belong per user, per application,
per protocol, per category that doesn't exist yet, and the admin
(hopefully computer assisted) presumably then figures out if any of
these are common/shared in his environment.

That isn't to say that many of these decisions aren't made already in
software, they are all made, but in different ways and forms, in /etc,
in ".rc" files, in xrdb, in WM databases, in relational databases,
Microsoft probably has a lead on automating this aspect by centralising
the data.

Not to say we shouldn't try, and as someone with "create .rc file" on my
TODO list (someone sent a patch, but I'm not sure about it, and it needs
some work) I'm open to practical suggestions on where to start (i.e. how
to make my configuration data accessible to the future methods of doing
this), but it is as well to realise how far off utopia is. Worse still
one mistake on the way and you'll find your PC (and everyone elses)
copying the contents of your personal web cache back and forth to the
central server everytime you log off and on ;-)

In terms of those applications which are already aware for SSO purposes,
the client configuration doesn't seem that hard. Where I found free
software a long way behind was with management stuff, especially GUI's,
and GUI creation tools for delegating aspects of directory management. I
guess we have probably managed too long copying SSH keys around.

The biggest problem with building cathedrals is ensuring your
foundations are solid enough, of course worshippers don't tend to notice
inadequacies in foundations till it all falls down.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+6NXDGFXfHI9FVgYRAsVPAJ9M7w7RmLgnzSNsCabQlLJz+9gUGQCgoJaE
6ShXwEct5nw9Aq5usXMjhAg=
=n5Qu
-----END PGP SIGNATURE-----