On Wed, Apr 14, 2010 at 05:22:56PM +0200, Petter Reinholdtsen wrote:
Next step will be to use Kerberos for access control in Lwat and Nagios. I have no idea how much work that will be to implement.
I believe the proper approach for Kerberize web applications is to use either CAS or Shibboleth.
Shibboleth is (as I understand it) developed as part of internet2.org - an effort to generalize computer systems in higher education in the US. So even if CAS might be more widespread in commercial parts of the ICT world, it might make sense for Skolelinux to bet on Shibboleth due to its roots in an educational mindset.
More info on Shibboleth here: http://shibboleth.internet2.edu/ - try look at the "Shibboleth in Action!" Quicktime movies at the right side). ...or if unable to watch them through the browser, here are their raw URLs for download: http://shibboleth.internet2.edu/demo/shib_demo_media/shib_demo.mov http://middleware.internet2.edu/co/tour/comanage-demo.mov
Both shibboleth and CAS are partly packaged for Debian. I believe the server parts are not packaged (if I recall correctly they are both implemented as Java servlets) but the "bridge" part that talks with the web apps are packaged as libapache2-mod-auth-cas and libapache2-mod-shib2.
It seems to me that the highly popular SSO technology OpenID is too simple for use as web-enabling of Kerberos. Even if coupled with Oauth I seem to understand from various critics that it is too poorly designed for enterprise security. Not stating this to start a fight (I do not know enought for more in-depth arguments than this vague accusations), just to help avoid wasting time on (popular but) weaker designs if the interest is proper strong web-enabled security designs.
Kind regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Description: Digital signature