View
3.408
Download
7
Category
Preview:
DESCRIPTION
These are the slides of a talk I gave on Single Sign On in Plone via Active Directory using netsight.windowsauthplugin
Citation preview
Plone and Single-Sign On
Matt Hamilton
Active Directory and the Holy Grail
Plone Open Garden 2013
Who am I?
• Working with Plone/Zope since 1999
• Director at Netsight in the UK
• Worked on a number of projects doing authentication over the years
Plone Open Garden 2013
What are we trying to do?
• Allow uses to be automatically logged in to a website without having to type in their username/password
Plone Open Garden 2013
Kerberos
• Developed by MIT many many years ago
• Used in Unix.... but also used on Windows, OSX, Linux
• Based on authentication ‘tickets’
Plone Open Garden 2013
Other approaches• Apache in front of Plone
- mod_kerberos
- mod_ntlm
- mod_authtkt / mod_pubcookie
• Plone on IIS
- Enfold proxy
- IISAPI
Plone Open Garden 2013
Why do it in Plone?
• Ultimate control over if/when to require authentication from a user
• Fallback to other authentication methods
• Mix of user sources
Plone Open Garden 2013
netsight.windowsauthplugin
• Runs on either Windows or Unix/Linux/OSX
• Windows: Uses Windows’ internal SSPI API
• Unix: Uses MIT Kerberos libraries
Plone Open Garden 2013
[buildout]...
eggs = ... netsight.windowsauthplugin
Plone Open Garden 2013
Recent Use-case
• Two departments of National Health Service are merging
• ...but their IT systems are still separate
• Two different Active Directory domains: CFH and IC
Plone Open Garden 2013
Recent Use-case• Half the users in one domain, half in the
other
• Both need to be automatically authenticated to a single, common intranet
• Need to allow fallback to manual username/password
Plone Open Garden 2013
Plone Open Garden 2013
How does Kerberos work?
Plone Open Garden 2013
How does Kerberos work?
Plone Open Garden 2013
How does Kerberos work?
Plone Open Garden 2013
Demo
Plone Open Garden 2013
Complex Setups
Plone Open Garden 2013
Member Properties
• Get data from Active Directory via LDAP
• Use plone.app.ldap
• Can use OpenLDAP as a proxy server
- Increased reliability
- Combine multiple LDAP/AD servers
- Caching
Plone Open Garden 2013
Questions?
• Matt Hamilton
• matth@netsight.co.uk
• @hammertoe
• https://github.com/netsight/netsight.windowsauthplugin
Recommended