Single Sign On

Tue Sep 21 11:52:16 UTC 2010

On 09/20/2010 09:09 PM, Christopher Chan wrote:
> Andy Graybeal wrote:
>> I'm wondering what everyones thoughts are in general on SSO and if
>> anyone has this running in their environment, and maybe recommend
>> anything for someone considering it.
>
> SSO = good thing. At least for a school env yes. I don't need to be
> giving teachers and students more headaches/impediments to their use of
> the computer.
>
> I have not yet quite got everything running with it yet though. Last
> attempt at getting squid to do SSO ended in abject failure.
>
>
>>
>> Has anyone followed these instructions:
>> https://help.ubuntu.com/community/SingleSignOn ?
>> I see it's still a work in progress.
>>
>> I've been watching "FreeIPA" on fedora:
>> http://freeipa.org/page/Downloads
>> I'm considering using Fedora and FreeIPA.
>
> If you like to have to reinstall/upgrade every six months or so, be my
> guest.

Hmm.. that doesn't sound like fun!
>
>
>>
>> It's a little overwhelming to me right now, but I would like to
>> eventually grasp all of it.
>>
>
> I would like to get it completely working.
>

Thank you Christopher.  Do you upgrade to each Ubuntu? Or do you stay 
with the LTS's?  You have Kerberos?, LDAP?, what file system are you 
using and what permissions are you using?

Do you have radius involved?

Can you tell me about your setup?

I work for a restaurant with about 70 employees, roughly 20 of them 
require user accounts.  Eventually all 70 people will have accounts, but 
for now only the managers/co-owners do.  We just switched from a one 
account Windows box that automatically logged on to a multi-user LTSP 
setup with 4 clients right now but several more are in the pipeline.

Currently, the only things they have accounts for are to access 
filesystem and email.  Eventually though, they will be logging into a 
web content manager to update our website (Joomla at this time, maybe 
Drupal), point-of-sale system (OpenBravoPOS maybe), ERP type program 
(OpenBravo ERP maybe), hopefully atleast.

I do plan on following PCI-DSS compliance when deployment happens; which 
means (among many things) that we'll have to change our passwords every 
90 days.. I haven't told anyone about this yet because I'm already the 
bad guy because I gave them all logins and passwords and they don't have 
the auto-logged in shared account.  I have to ease them into this with 
baby-steps.  I'm not a bad guy, but once we get used to logging in with 
our accounts individually first, we'll go the next step to changing 
passwords every 90 days (also the password history can't be
redundant for the past 4 passwords).

If there are going to be atleast 5 systems that will need to login too 
in the future, and password changes happening every 90 days.. it's going 
to be a disaster without SSO. I want to get SSO to work before I adhere 
to PCI-DSS, so people don't hate me forever.

I worked in a computer oriented place prior, and we had systems with 
different accounts and different password changing intervals, it was a 
headache to keep up with it, but it wasn't necessarily a disaster, 
mainly because people were more patient with the computers and there was 
a dedicated help-desk.  I think after I left they adopted a SSO system, 
atleast there was talk about it on the horizon when I was still there.

I'm afraid/anxious to even jump into testing it.  I'm such a wimp.  We 
did use kerberos in my old job and getting used to tokens was a little 
weird!  (but fun in the dorky sense)

-Andy