Geek Answers Handbook

Know about Appliance turnkey SSO with ldap, radius, openid, etc.?

I help a typical small company that started with several outsourcing systems (google apps, svn / trac). Added internal jabber server (ejabber for most iChat clients). subscribes to a couple of web services (e.g. highrisehq). and has the vpn service provided by the pfsense freebsd firewall.

And the net result of all this is that they are drowning in passwords and accounts.

It seems that if they had a single login / single sign-on service, they could go a long way to integrate them. For example: ldap as the main repository, the radius associated with it for vpn, ejabber and even WPA2 wireless access, plugins for entering the google application and, possibly, an open server for external websites such as highrisehq.

It seems that all these tools exist separately, but does anyone know of a single box that combines them with a nice graphical interface and automatic updates? (for example, as pfsense / m0n0wall for firewalls, freeNAS for storage). It does not have to be FOSS. A paid box will also be good.

I believe that this should exist. Microsoft Active Directory is probably one solution, but they are more likely to avoid Windows if possible. It seems that there are various "AAA" servers that are used by Internet service providers or to manage the firewall / router in the enterprise, but this seems not entirely correct.

Any obvious solutions that I am missing? Thanks!

+3
source share
5 answers

More than a year has passed since you originally asked the question, so I assume that you have solved the problem now. But if someone is interested in a possible solution, I suggest the following:

First of all, I don’t know a single all-in-one solution to your problem. However, it’s quite simple to combine the three products that will solve all your needs and provide a single source for user management and password storage.

The first thing to do is set up an LDAP directory to manage users and groups (and possibly other objects that go beyond your question). It can be OpenLDAP , Apache DS , Microsoft Active Directory, etc. Basically, any LDAP server will work.

Secondly, I recommend installing FreeRADIUS with the LDAP directory configured as a support service.

Third get an Atlassian Crowd license. It provides authentication for OpenID and Google Apps. Prices for up to 50 users start at $ 10 and go up to $ 8,000 for an unlimited user license.

Installation and configuration of the three are relatively simple. You are likely to work on creating your users and groups. You can install all three components on one server and ultimately get a field that allows you to fully authenticate everything from logging on to your desktop computer, through Google Apps and other web applications, up to VPN and even using Switch login. WiFi and router.

Just make sure you set up your roles and groups correctly! Otherwise, you may encounter some vendor that is able to administer on your firewalls and routers :-)

+4
source

I would advise anyone looking for this type of solution to check out the Gluu server ( http://gluu.org ).

Each Gluu server includes a SAML IDP for SSL SAML, an OpenID Connect Provider (OP) for an OpenID Connect SSID, a UMA Policy Decision Point (PDP) for web access control, and a RADIUS and LDAP server.

All Gluu server components are open source (i.e. Shibboleth, OX, FreeRADIUS, OpenDJ, etc.), including the oxTrust web user interface for managing each server component.

For commercial implementations, Gluu will create, maintain, and control this software stack in a customers virtual machine.

+3
source

You may not want to standardize passwords in many applications (especially external ones), although it makes sense for internal ones that use the auth service, such as LDAP.

You can solve the problem of remembering passwords with eSSO, for example Novell SecureLogin

You may also be interested in Novell Access Manager and Novell Identity Manager.

+1
source

I could also use such a device, but the only one I could find was the (possibly outdated) data sheet from Infoblox. Since then, they seem to have focused on automatic network management, and I cannot find the LDAP device on my current website. I think that creating a Linux box with the FOSS file mentioned above is what everyone does, but it would be great not to have power supplies, drives, fans, etc. I suppose you could use something like an EEE PC and put the configuration on a flash card.

+1
source

This is what I was looking for, and http://www.turnkeylinux.org/openldap looks like a solution: installing "appliance" and it includes an encrypted online backup that can be easily restored on a new or replaceable machine.

0
source

More articles:


All Articles