Single Sign On
Andy Graybeal
andy.graybeal at casanueva.com
Tue Sep 21 11:52:16 UTC 2010
On 09/20/2010 09:09 PM, Christopher Chan wrote:
> Andy Graybeal wrote:
>> I'm wondering what everyones thoughts are in general on SSO and if
>> anyone has this running in their environment, and maybe recommend
>> anything for someone considering it.
>
> SSO = good thing. At least for a school env yes. I don't need to be
> giving teachers and students more headaches/impediments to their use of
> the computer.
>
> I have not yet quite got everything running with it yet though. Last
> attempt at getting squid to do SSO ended in abject failure.
>
>
>>
>> Has anyone followed these instructions:
>> https://help.ubuntu.com/community/SingleSignOn ?
>> I see it's still a work in progress.
>>
>> I've been watching "FreeIPA" on fedora:
>> http://freeipa.org/page/Downloads
>> I'm considering using Fedora and FreeIPA.
>
> If you like to have to reinstall/upgrade every six months or so, be my
> guest.
Hmm.. that doesn't sound like fun!
>
>
>>
>> It's a little overwhelming to me right now, but I would like to
>> eventually grasp all of it.
>>
>
> I would like to get it completely working.
>
Thank you Christopher. Do you upgrade to each Ubuntu? Or do you stay
with the LTS's? You have Kerberos?, LDAP?, what file system are you
using and what permissions are you using?
Do you have radius involved?
Can you tell me about your setup?
I work for a restaurant with about 70 employees, roughly 20 of them
require user accounts. Eventually all 70 people will have accounts, but
for now only the managers/co-owners do. We just switched from a one
account Windows box that automatically logged on to a multi-user LTSP
setup with 4 clients right now but several more are in the pipeline.
Currently, the only things they have accounts for are to access
filesystem and email. Eventually though, they will be logging into a
web content manager to update our website (Joomla at this time, maybe
Drupal), point-of-sale system (OpenBravoPOS maybe), ERP type program
(OpenBravo ERP maybe), hopefully atleast.
I do plan on following PCI-DSS compliance when deployment happens; which
means (among many things) that we'll have to change our passwords every
90 days.. I haven't told anyone about this yet because I'm already the
bad guy because I gave them all logins and passwords and they don't have
the auto-logged in shared account. I have to ease them into this with
baby-steps. I'm not a bad guy, but once we get used to logging in with
our accounts individually first, we'll go the next step to changing
passwords every 90 days (also the password history can't be
redundant for the past 4 passwords).
If there are going to be atleast 5 systems that will need to login too
in the future, and password changes happening every 90 days.. it's going
to be a disaster without SSO. I want to get SSO to work before I adhere
to PCI-DSS, so people don't hate me forever.
I worked in a computer oriented place prior, and we had systems with
different accounts and different password changing intervals, it was a
headache to keep up with it, but it wasn't necessarily a disaster,
mainly because people were more patient with the computers and there was
a dedicated help-desk. I think after I left they adopted a SSO system,
atleast there was talk about it on the horizon when I was still there.
I'm afraid/anxious to even jump into testing it. I'm such a wimp. We
did use kerberos in my old job and getting used to tokens was a little
weird! (but fun in the dorky sense)
-Andy
More information about the ubuntu-users
mailing list