[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Fri, 2005-03-11 at 23:32 +0000, Simon Waters wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adrian Midgley wrote: | | How should this be implemented using FLOSS? | | Who should do the engineering?
I'm glad that someone has asked this question :-)
It is relatively straight forward technically, people building LDAP servers just boost up multiple read only replica's to scale the technology.
Very true
The solution of course is to build local systems that interoperate using agreed standards. Moves the management headache into agreeing and controlling the standards.
Yep but what do you do if you are tied in to "packages" provided by different vendors that use different digest algorithms for encrypting passwords ? Ok you could put a standard requirement in place, but usually someone (in management ?) wants it now, not in 10 years time when your last legacy system is replaced with something that is standards compliant. You may well be able to bring 3 major systems out of 12 into sync, however you are still maintaining 10 different passwords / system access points. Users may not see the advantage and start to wonder why they are being asked to sign up to it (if you will pardon the pun). How do you deal with the cross organisation requirements. For example someone working in social services is most likely to be using Council Systems, NHS systems and possibly police systems as well. Most likely packaged systems with no common thread as far as authentication and authorisation are concerned. For these people its a nightmare to remember 3 sets of passwords and constantly log on/off systems. Don't get me wrong I think LDAP is wonderful but (IMHO) its not a complete solution nor is it (yet) a universally adopted one.
The technical aspects of the problem are easy, I mean if AOL can do it.... I suspect there are probably ISPs out there who authenticate similar numbers of users using FLOSS already.
Single application single requirement single set of standards, therefore simpler to implement.
Integrating other systems is possible if your authentication is seen as a seperate modules (like PAM). But ISPs only have a limited scope in the systems they need to integrate, they only provide a gateway in to most of the systems their users need, and making that integration is probably the major technical headache for most ISPs. Some of the ISPs are moving now to sharing authentication service out to other sites, so you can use the login at one site to access services at another.
Purely technical questions from someone who has been perplexed by the problem of "single signon" for some time : How do you deal with different applications requiring different digest algorithms for passwords and the ensuing need to maintain synchronisation. How does application B know that you have already been authenticated and authorised via application A ? or is this something in the LDAP protocol that I am not aware of ? And how do the authorisation tokens in application B fit in with those of application A ? I understand that a lot of the above is "politics" rather than technical, but I'm just interested in knowing how you solve the technical "gotchas" and sell the solution to everyone from data entry clerk to CEO. Tom. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html