FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 09-18-2010, 12:33 PM
Andy Graybeal
 
Default Single Sign On

I'm wondering what everyones thoughts are in general on SSO and if
anyone has this running in their environment, and maybe recommend
anything for someone considering it.

Has anyone followed these instructions:
https://help.ubuntu.com/community/SingleSignOn ?
I see it's still a work in progress.

I've been watching "FreeIPA" on fedora:
http://freeipa.org/page/Downloads
I'm considering using Fedora and FreeIPA.

It's a little overwhelming to me right now, but I would like to
eventually grasp all of it.

-Andy


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-21-2010, 01:09 AM
Christopher Chan
 
Default Single Sign On

Andy Graybeal wrote:
> I'm wondering what everyones thoughts are in general on SSO and if
> anyone has this running in their environment, and maybe recommend
> anything for someone considering it.

SSO = good thing. At least for a school env yes. I don't need to be
giving teachers and students more headaches/impediments to their use of
the computer.

I have not yet quite got everything running with it yet though. Last
attempt at getting squid to do SSO ended in abject failure.


>
> Has anyone followed these instructions:
> https://help.ubuntu.com/community/SingleSignOn ?
> I see it's still a work in progress.
>
> I've been watching "FreeIPA" on fedora:
> http://freeipa.org/page/Downloads
> I'm considering using Fedora and FreeIPA.

If you like to have to reinstall/upgrade every six months or so, be my
guest.


>
> It's a little overwhelming to me right now, but I would like to
> eventually grasp all of it.
>

I would like to get it completely working.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-21-2010, 11:52 AM
Andy Graybeal
 
Default Single Sign On

On 09/20/2010 09:09 PM, Christopher Chan wrote:
> Andy Graybeal wrote:
>> I'm wondering what everyones thoughts are in general on SSO and if
>> anyone has this running in their environment, and maybe recommend
>> anything for someone considering it.
>
> SSO = good thing. At least for a school env yes. I don't need to be
> giving teachers and students more headaches/impediments to their use of
> the computer.
>
> I have not yet quite got everything running with it yet though. Last
> attempt at getting squid to do SSO ended in abject failure.
>
>
>>
>> Has anyone followed these instructions:
>> https://help.ubuntu.com/community/SingleSignOn ?
>> I see it's still a work in progress.
>>
>> I've been watching "FreeIPA" on fedora:
>> http://freeipa.org/page/Downloads
>> I'm considering using Fedora and FreeIPA.
>
> If you like to have to reinstall/upgrade every six months or so, be my
> guest.

Hmm.. that doesn't sound like fun!
>
>
>>
>> It's a little overwhelming to me right now, but I would like to
>> eventually grasp all of it.
>>
>
> I would like to get it completely working.
>

Thank you Christopher. Do you upgrade to each Ubuntu? Or do you stay
with the LTS's? You have Kerberos?, LDAP?, what file system are you
using and what permissions are you using?

Do you have radius involved?

Can you tell me about your setup?

I work for a restaurant with about 70 employees, roughly 20 of them
require user accounts. Eventually all 70 people will have accounts, but
for now only the managers/co-owners do. We just switched from a one
account Windows box that automatically logged on to a multi-user LTSP
setup with 4 clients right now but several more are in the pipeline.

Currently, the only things they have accounts for are to access
filesystem and email. Eventually though, they will be logging into a
web content manager to update our website (Joomla at this time, maybe
Drupal), point-of-sale system (OpenBravoPOS maybe), ERP type program
(OpenBravo ERP maybe), hopefully atleast.

I do plan on following PCI-DSS compliance when deployment happens; which
means (among many things) that we'll have to change our passwords every
90 days.. I haven't told anyone about this yet because I'm already the
bad guy because I gave them all logins and passwords and they don't have
the auto-logged in shared account. I have to ease them into this with
baby-steps. I'm not a bad guy, but once we get used to logging in with
our accounts individually first, we'll go the next step to changing
passwords every 90 days (also the password history can't be
redundant for the past 4 passwords).

If there are going to be atleast 5 systems that will need to login too
in the future, and password changes happening every 90 days.. it's going
to be a disaster without SSO. I want to get SSO to work before I adhere
to PCI-DSS, so people don't hate me forever.

I worked in a computer oriented place prior, and we had systems with
different accounts and different password changing intervals, it was a
headache to keep up with it, but it wasn't necessarily a disaster,
mainly because people were more patient with the computers and there was
a dedicated help-desk. I think after I left they adopted a SSO system,
atleast there was talk about it on the horizon when I was still there.

I'm afraid/anxious to even jump into testing it. I'm such a wimp. We
did use kerberos in my old job and getting used to tokens was a little
weird! (but fun in the dorky sense)

-Andy


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-21-2010, 12:58 PM
Christopher Chan
 
Default Single Sign On

>>> I've been watching "FreeIPA" on fedora:
>>> http://freeipa.org/page/Downloads
>>> I'm considering using Fedora and FreeIPA.
>> If you like to have to reinstall/upgrade every six months or so, be my
>> guest.
>
> Hmm.. that doesn't sound like fun!

Nope. Unless you have infrastructure to perform automatic
upgrades/installation (I had a pxe env when I was managing a few score
servers) and setups conducive to such automation.


>>
>>> It's a little overwhelming to me right now, but I would like to
>>> eventually grasp all of it.
>>>
>> I would like to get it completely working.
>>
>
> Thank you Christopher. Do you upgrade to each Ubuntu? Or do you stay
> with the LTS's? You have Kerberos?, LDAP?, what file system are you
> using and what permissions are you using?

I only have one server setup with Ubuntu and it runs Hardy and the squid
mentioned in my previous post. The desktops are mostly Windows and some
Mac OS X desktops. I, of course, use an Ubuntu desktop although I was
previously using OpenSolaris. With Windows desktops, then of course I
have an Active Directory env so you can guess where Kerberos and LDAP
come into play. No need for FreeIPA due to Active Directory. Samba is
used for file serving on OpenSolaris boxes using ZFS and ZFS' NFSv4 Acls
which are pretty much identical to NTFS acls.


>
> Do you have radius involved?

Yes. I do have radius involved. Handles authentication for the
wireless-n network.


>
> Can you tell me about your setup?

Active Directory. Everything plugs into it as necessary. Just missing
the squid part at the moment. 800+ users, 300+ client boxes.


>
> I work for a restaurant with about 70 employees, roughly 20 of them
> require user accounts. Eventually all 70 people will have accounts, but
> for now only the managers/co-owners do. We just switched from a one
> account Windows box that automatically logged on to a multi-user LTSP
> setup with 4 clients right now but several more are in the pipeline.
>
> Currently, the only things they have accounts for are to access
> filesystem and email. Eventually though, they will be logging into a
> web content manager to update our website (Joomla at this time, maybe
> Drupal), point-of-sale system (OpenBravoPOS maybe), ERP type program
> (OpenBravo ERP maybe), hopefully atleast.

OOoohh, nice. I have a side project for my sister with Drupal, UberCart,
UberPOS.


>
> I do plan on following PCI-DSS compliance when deployment happens; which
> means (among many things) that we'll have to change our passwords every
> 90 days.. I haven't told anyone about this yet because I'm already the
> bad guy because I gave them all logins and passwords and they don't have
> the auto-logged in shared account. I have to ease them into this with
> baby-steps. I'm not a bad guy, but once we get used to logging in with
> our accounts individually first, we'll go the next step to changing
> passwords every 90 days (also the password history can't be
> redundant for the past 4 passwords).

Ouch. That particular draconian password policy was collectively shot
down by all schools over here with respects to the shared systems that
all schools use and you bet locally it will be ignored.


>
> If there are going to be atleast 5 systems that will need to login too
> in the future, and password changes happening every 90 days.. it's going
> to be a disaster without SSO. I want to get SSO to work before I adhere
> to PCI-DSS, so people don't hate me forever.

Oh, you certainly want that...when I started here, I had over three
usernames and their associated passwords to remember as well as the kids
/teachers due to the way the previous admin had done things. Needless to
say, I quickly cut down on the number of usernames the kids/teachers had
to remember.



>
> I worked in a computer oriented place prior, and we had systems with
> different accounts and different password changing intervals, it was a
> headache to keep up with it, but it wasn't necessarily a disaster,

Okay...for you and me yes.


> mainly because people were more patient with the computers and there was
> a dedicated help-desk. I think after I left they adopted a SSO system,
> atleast there was talk about it on the horizon when I was still there.

SSO rules. When it works.


>
> I'm afraid/anxious to even jump into testing it. I'm such a wimp. We
> did use kerberos in my old job and getting used to tokens was a little
> weird! (but fun in the dorky sense)

Just make sure your stuff are Kerberos enabled after you get the
Kerberos/LDAP sorted out. Over here, Windows does it for me for IE and
file sharing so on the client side + Frontmotion Firefox so I am really
just needing to plug squid into things.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 10:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org