Organizing Kerberos-based infrastructure
SSO (Single Sign-On) is a good method for organizing enterprise-level IT infrastructure. It can reduce TCO (Total cost of ownership) of user management, allowing to create/modify/delete user accounts in one place without changing configurations of servers and client workstations. Let's consider Kerberos as a basis for SSO in an enterprise infrastructure in details:
Log in to a workstation.
Most UNIX-based OS provide authorization mechanism for logging into a workstation using Kerberos PAM modules. Windows OS-based workstations can login only to domain controller, and doesn't support standard Kerberos servers by default due to Kerberos extensions by Microsoft. But there is a bypass way - use Samba PDC with Kerberos and OpenLDAP integration (Article in Russian, I'll translate and publish it in the blog after setting up such infrastructure on my servers).
Servers.
Firewall: NuFW (see corresponding article).
Email: postfix, sendmail.
IM: openfire.
Web: apache.
Proxy: squid.
Ftp: ProFTPD or internal Kerberos FTP server.
RDBMS: PostgreSQL.
Clients.
Email: thunderbird, fetchmail.
IM: Sparc, Pidgin.
Web: Firefox, Safari, Konqueror.
Ftp: Console ftp, Filezilla.
Development.
Only J2EE have Kerberos support via JAAS. Maybe other frameworks have some kind of support, but it requires checking.
As you can see, some servers and clients are not enumerated above (due to bad or none support of Kerberos) like Opera, MySQL, VsFTPd and others, but any enterprise should force users to use only accredited software, and list above is a good candidate for accreditation.
Btw, is it possible to tie the personal firewall (ipfw, iptables) settings not to ip but to the SSO method?
ReplyDeleteYes, it is possible with NuFW - An Authenticated Firewall. I updated the post with required link.
ReplyDelete