-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Oct 23, 2007 at 08:00:19PM -0400, Rolf wrote:
> Hi All.
> 
> I have a web server (Linux/apache) that runs a number of 'applications'. 
> There are standard static web pages, as well as:
> In PHP -> webmail (squirrelmail), wiki (mediawiki), a photo gallery 
> ("Gallery" 2.2), bug tracking (mantis), mysqladmin
> In Perl -> some simple custom CGI stuff (access to some logs, etc).
> In Java -> I have a tomcat server that is 'proxied' by the apache server.
> 
> My wife and I routinely use these applications (OK, I use most, my wife 
> uses some....).
> 
> I have already 'secured' my server from the big bad world (HTTPS, 
> firewall rules, etc), but I am looking to accomplish the following:
> 
> I would like a single username/password to be supplied that will then be 
> used to authenticate to each of the applications...
> 
> Currently it is a real pain to have to login to each app individually. 
> It is especially painful if the browser is currently logged in as my 
> wife in one place, and me in another...
> 
> HTTP authentication appears to be a good start (either basic, or digest, 
> over HTTPS it's trusted), but there is no way to logout!
> 
> The system I have is about to get expanded usage, I am going to allow 
> remote access to my brothers, as well as some close friends. I would 
> like to 'unify' the authentication processes for each of these things a 
> bit better.
> 
> In addition, each 'application' uses it's own authentication system 
> (most have stuff stored in mysql tables). I would prefer to keep it 
> linked to the same user accounts on the linux system.
> 
> I have tried to google for things, but there is too much noise.... and 
> no real content.
> 
> I realise that I can go through each of my applications and 
> reconfigure/rewrite the authentication to use a singe source of 
> authentication (perhaps LDAP, or PAM), but that will still leave each 
> app with it's own login/session.
> 
> Is there someone out there with any insight in to this problem? Is there 
> some standard?

One interesting possibility would be to implement OpenID for all of your
apps.

http://en.wikipedia.org/wiki/OpenID
http://openid.net/

The idea behind it is that, essentially, you get a single OpenID stored
on a server of your choice. Every app, from *anywhere*, that wants to
authenticate you simply has you enter your open id, which is in the form
of a url, mine is just petertodd.org The app you are trying to
authenticate with then uses that url to contact the authentication
server and verify your identify through some HTTP sessions magic.

With OpenID not only would your apps get a single login, but you'd have
a login that'd work on any OpenID enabled site. Currently that doesn't
include too many sites, but does include some interesting heavy hitters
like livejournal.com

One cool thing about OpenID is that you can delegate ids. So if you have
access to *any* sort of webhosting, you can put up a specially crafted
webpage using some simple html tags that essentially says "if you're
using http://joe.com as an OpenID authentication url, redirect to
http://joe.openidauthenticator.com"

Basically even if you don't have the minor resources to setup the
authentication server, which is just a php script, you can *really*
easilly setup a redirect page. The advantage of this is that if, say,
openidauthenticator.com goes out of business, you can change
your joe.com websites redirect and keep using joe.com as your ID.

My redirect setup is the following, visible if you go to my webpage and
hit view source:

<head>
(snip)
<link rel="openid.server" href="http://petertodd.org/MyID.config.php">
<link rel="openid.delegate" href="http://petertodd.org/MyID.config.php">
</head>

I then use the phpMyOpenID script from
http://labs.bendodson.com/phpmyopenid/ to do the actual authentication.
Your users can use free authtication sites, or you can very easilly
setup your own.


For you to use it you'd have to make each app support openid
authentication. Then the openid would be used as the key in your
database to each account's data.

- -- 
http://petertodd.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHHrsu3bMhDbI9xWQRAttnAJ9ruFfGnZnQamo247I6bwV/IyWc6ACfXvo8
k7vuQBKT2zLoEeiz4zrwLxk=
=ahft
-----END PGP SIGNATURE-----
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist