[TYPO3-english] SSO + kerberos

Discussion:

Mauro Lorenzutti

2010-02-09 17:55:57 UTC

Hi All,

I have a question about single-sign-on based on kerberos. I already
setup the eu_ldap extension and connected it to our Active Directory
server, it works fine. I also setup a SSO based on NTLM protocol but the
apache module for NTLM has some problems.

I'd like to find another solution for SSO and I started to think about
kerberos. Does anybody setup an autologin for TYPO3 based on kerberos?
Please, could you share your experience?

Thank you in advance.

Best regards,
Mauro

Ralf Hettinger

2010-02-09 19:14:55 UTC

Permalink

Hi Mauro,

Post by Mauro Lorenzutti
I have a question about single-sign-on based on kerberos. I already
setup the eu_ldap extension and connected it to our Active Directory
server, it works fine. I also setup a SSO based on NTLM protocol but the
apache module for NTLM has some problems.
I'd like to find another solution for SSO and I started to think about
kerberos. Does anybody setup an autologin for TYPO3 based on kerberos?
Please, could you share your experience?

although I have no answer to your Kerberos question and sort of
struggling with the same topic in one of my projects, I thought writing
back would do no harm.

I'm as well thinking of giving Kerberos a try (but haven't done yet)
since there are some performance issues on an initial NTLM connect we're
encountering by using the Apache NTLM module
(libapache2-mod-auth-ntlm-winbind and still NTLM v1). I'd be quite
interested if that's the same problem you're experiencing or what your
problem is by using NTLM.

Apart from that, the NTLM Apache module works as expected here and
without failures so far, so if your problem isn't performance related, I
might be of help...

Kind regards
Ralf

Mauro Lorenzutti

2010-02-10 10:41:46 UTC

Permalink

Hi Ralf,

thank you very much for your answer.

We'd like to move from NTLM to Kerberos (or another SSO system) due to a
problem with the NTLM apache module.

The problem is that sometimes apache stops to provide the page to the
browser. It's completely random: at a point, when we click on a link,
apache doesn't reply with the result page. We have to do a reload of
apache and then it starts to work correctly again.

Did you experience the same problem? We didn't experience any
performance problem but this problem is even worse :-(

Regards,
Mauro

Ralf Hettinger

2010-02-10 12:07:44 UTC

Permalink

Hi Mauro.

Post by Mauro Lorenzutti
The problem is that sometimes apache stops to provide the page to the
browser. It's completely random: at a point, when we click on a link,
apache doesn't reply with the result page. We have to do a reload of
apache and then it starts to work correctly again.
Did you experience the same problem?

Before using libapache2-mod-auth-ntlm-winbind, we gave AuthenNTLM a try
and got into situations, where the Perl module wouldn't release the lock
properly or in a timely manner, which would result in a not responding
Apache sometimes (sounds familar). Parameter tuning AuthenNTLM resulted
in Apache requests not being authenticated properly - which way are you
using to enable Apache to "speak NTLM"?
AuthenNTLM didn't seem to be as stable and reliable as the
libapache2-mod-auth-ntlm-winbind solution, so we switched. Just to
encounter slow AUTH connects, which seem to happen pretty randomly as well.

Eventually and imo it turns out that using NTLM+Apache is not the plain
simple and just be happy solution as it first seemed :(

Not using NTLM, Kerberos seems to be the best alternative to me, too...
oh well. I shall let you know.

Post by Mauro Lorenzutti
We didn't experience any
performance problem but this problem is even worse :-(

Agreed.

Ralf