Thursday Feb 21, 2008

Simple Web Server Authentication and SGD

Seems that a lot of people are interested in using Web Server Authentication.

A new article that concerns Basic HTTP Authentication and SGD has been posted to the SGD Wiki. Even if Basic HTTP authentication is not what you want, this article illustrates the principles around configuring SGD.

There's also a handy debugging tool (environment.jsp) that you can drop into the SGD webapp directory (/opt/tarantella/webserver/tomcat/\*/webapps/sgd) to find out what the web environment looks like.

Another article specifically about Sun Access Manager is also in the works.

 -FB

Tuesday Jan 08, 2008

Speeding up LDAP queries when using Web Authentication

Some time back we discussed how to speed up LDAP authentication when logging into SGD. In this tip, we simply recommended reducing the user attributes that we search in order to authenticate a user given the provided credentials.

Well, nice tip as it was, it only works when you are logging in directly to SGD (using built-in authentication) and doesn't help if you are using Web Server Authentication. e.g. you're using something to protect the /sgd URI for example, a simple mechanism like Apache basic http authentication (.htaccess), or something powerful like Sun's Java System Access Manager to protect access to the /sgd URI.

If you're doing this, you need to configure an additional bean in the SGD system. And, to preserve your sanity, Fat Bloke recommends always keeping them in step by configuring them together:

/opt/tarantella/bin/tarantella stop
/opt/tarantella/bin/tarantella config edit --thirdpartyldaploginauthority.properties-searchAttributes cn mail
/opt/tarantella/bin/tarantella config edit --searchldapla.properties-searchAttributes cn mail
/opt/tarantella/bin/tarantella start

Sorry not to have mentioned this earlier ;-)

-FB

Wednesday Apr 18, 2007

Speeding up LDAP authentication

Lots of people use SGD with Directory Servers and it's easy to setup.
In the Array Manager simply enable the LDAP login authority and point SGD at the Directory Server.
Here's an example:

Now out of the box the LDAP login authority is very thorough in checking the supplied username against all of these searchAttributes:
{ cn, uid, mail, userPrincipalName, sAMAccountName }

And so for large directories this may take some time and lead to a slow login process.

So here's a tip:
Trim the list of search attributes down to say { cn, mail }.
The command to do this is:

/opt/tarantella/bin/tarantella config edit --searchldapla.properties-searchAttributes cn mail

Hopefully you'll see that this makes searches much faster and consequently the login process too.

-FB

Tuesday Apr 17, 2007

Using a Domain Name when caching credentials for UNIX application servers

Here's a tip which makes life easier for users logging in to multiple UNIX backends...

Imagine you have a large number of UNIX or Linux application servers.
And you use the same credentials to login to all of them. (e.g. they may be using a central LDAP server,or NIS+)

Normally, when you launch an app on one of these servers and SGD doesn't have a cached set of credentials, the user is prompted for a username/password. In this scenario, where there are a lot of servers, this can become tedious for the user.

So here are 2 suggestions:

1. If you use the same credentials on the SGD server and on the UNIX app servers you can enable the "Try SGD password". This is enabled in the Array Manager thus:

2. If the SGD server uses different credentials from all the 3rd tier UNIX app servers, label the app server objects as being in the same domain. You do this by setting the inappropriately named "Windows NT Domain" attribute on all your app servers, to the same thing, e.g. "DatacenterServers"

Now the credentials are cached against the domain rather than a single app server.
So when your users launch a UNIX app now, on any other UNIX server in the same domain, they won't get prompted.

FB

About

Fat Bloke

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today