Single Sign-On for Integrated Open-Source Apps?

maiden_taiwan asks: "We're constructing a free groupware application by integrating well-known open source components: apache webserver, inn news server, ircd chat, scp for file transfer, etc. Unfortunately, each app has its own incompatible concept of a 'user identity.' Apache has the htpasswd module, IRC has nicknames, scp has public keys, NetNews has the poster's email address, and so forth. Has anyone managed to integrate a similar suite of apps using a single sign-on model, where a user has a single identity that is understood and carried through all these apps?"

What are you trying to do?

[edbarrett]

It might help if you were clear about what you were trying to do. Might the phpGroupWare project be something to base your project on?

Maybe this is relevant: DotGNU VIS

Recent post to developers@dotgnu.info from Peter Minten:

a lot is unclear about the DotGNU Common Virtual Identity System (DCVIS or
simply VIS). And with the current amount of active auth coders that's not likely
to change soon. The VIS needs however to be integrated into the DotGNU System. I
therefore propose the following:

* We should create a specification of the VIS.
* These specifications should be used to implement a minimal feature reference
VIS server.

The way I see things there are a number of things to be put into the VIS spec:
* How the VIS server communicates with a webservice
* How a Virtual Identity must be structured (note that this only applies to the
VI send over the connection with the webservice, the VIS server's internal
structure of a VI is unspecified).
* What fields of a VI are mandatory (a field like name should be in all VI's)

After the VIS spec is put up a very basic reference implementation can be
created. The reference implementation can then be used as a testing aid for the
Arch and Auth coders.

We're sorta doing this, but not exactly...

[PhaseBurn]

We have a MySQL database that is used for e-mail, RADIUS, and FTP logins, and all those records are kept in MySQL... I'm not familiar with LDAP enough to suggest it, but it is there if you'd like to try... From what I've seen, and what we're doing, here's what I know is possible...

Apache has a mod_auth_mysql which will auth based on a MySQL database already... (http://sourceforge.net/projects/modauthmysql/)

That's trivial... They have a pam_mysql module as well that we use - it works... (http://sourceforge.net/projects/pam-mysql)...

Next on your list is inn, which I have no experience with. You'd most likely need to hack some form of parsing by e-mail address or IP (or password on a secured server) to verify/force identity...

ircd would be very easy to do... Shell account running a slightly modded "dircproxy" (http://www.dircproxy.net) would force identity based on a password, and would "proxy" the connection to the server transparantly.

Scp, if you're not using keys, could just use regular pam, with pam_mysql. Anyway, hope this helps.

LDAP may be a better solution, but I know for a fact this is possible (we're using these tools across apache, proftpd, scp, Courier-pop3/imap, and Exim for an MTA... we run a full ISP off these tools. Best of luck!

Today, LDAP. Tomorrow, Liberty or Passport

[velkro]

Today's solution is to use LDAP.

I have, right now, the following systems integrated using LDAP for authentication:

Linux (anything that uses PAM - ssh, ftp, X)
AIX 5.1
Apache (mod_ldap)
IBM HTTP Server (mod_ibm_ldap)
Several internal apps (PHP, Perl, C/C++)
MS Active Directory & Exchange
Lotus SameTime, and Lotus QuickPlace
Nortel Contivity VPN systems

And probably one or two things I've forgotten. So it's probably simple enough to add in the bits (IRC mainly) for the rest.