I came across auth_pubtkt project already a year ago and I liked the approach. Much more simple to configure than many other similar projects. Didn't have a real implementation need so far though, but now I do :)
Was considering this versus kerberos auth, but I like this better.
The setup I am considering is to install auth_pubtkt on the Apache frontend servers and then use auth_ldap on the login server.
First question: anything to consider while doing this? Possible/not possible. Suggested or not?
My wish is to integrate several web applications with this SSO implementation.
The range of apps spans between Bugzilla, Trac, Wordpress, Mediawiki, Alfresco Open Source Edition, Request Tracker, Nagios, Cacti, etc.
So now the question is: do you think I will need modifications to these applications to make them work with auth_pubtkt?
Generally speaking they should just play well together with Apache Auth (whatever that Auth is) so for most of them I don't think there will be a problem as long as I can delegate the Auth part to Apache.
Or am I wrong?
Thanks
Stezz
Hi Stezz,
I have auth_pubtkt running as a basis of an SSO setup with an LDAP back-end that covers a number of applications: Galaxy genomics framework, Bugzilla, Mediawiki, custom php applications. Bugzilla can use REMOTE_USER. Mediawiki needs to use an extension "AutomaticREMOTE USER". I'm not sure about other apps, but I suppose many of them use or can be modified to use REMOTE_USER. I added code to query our LDAP servers via perl's Net::LDAP to the login.cgi script, so I don't use Apache's auth_ldap. All in all, I am very happy about the performance of auth_pubtkt in this scenario. I hope this helps.
Regards,
Alex
> The setup I am considering is to install auth_pubtkt on the Apache frontend servers and then use auth_ldap on the login server.
>
> First question: anything to consider while doing this? Possible/not possible. Suggested or not?
Just to add my experience: I did a setup with adLDAP (http://adldap.sourceforge.net/) in the PHP based login scripts, against MS Active Directory. It's easy to query for group membership and map this to tokens in the generated tickets. The solution has served the company well for several years now. So you probably won't need auth_ldap at all...
Regards,
Manuel
Thanks Alex,
at least I know this is possible :)
So if not already supported it should be anyway easy to modify the
auth procedures of these tools to be supported by pubtkt.
From the security perspective how safe is this to be deployed on a
public facing site?
What is the risk of eavesdropping and consequent cookie stealing ? Or
forging or similar?
I read already the "Security considerations for domain cookies"
paragraph, just wanted to hear some real life experiences.
Thanks
--
Stezz
http://stezz.blogspot.com
> 2
I have read that paragraph and didn't worry about the potential for cookie stealing. Our domain is tightly controlled, so the risk of rogue servers is negligible. Using SSO is more of a convenience for our users, so they could use a single set of credentials to get help and documentation from us as well as access software that we monitor the usage of. I am not really worried that there is a small possibility that someone could modify a wiki page under a different user name or would submit a support ticket in the BugZilla as someone else. As far as the public exposure of the protected servers is concerned - that's what mod_auth_pubtkt is there for I suppose. Our login servers use SSL. The rest of the publicly facing infrastructure relies on the SSO protection.
Regards,
Alex