[sword-devel] SSO for crosswire (was: Re: A simple Fedora SWORD compile/install script )
jmarsden at fastmail.fm
Thu Sep 3 00:51:14 MST 2009
Peter von Kaehne wrote:
> We introduced this 4 day gap as a way to reduce the Wikispam we got.
Yes, that makes sense. But the machine has "known" me for longer than 4
> Single sign on was discussed ... But I am sure, Troy will be
> delighted to hear to your suggestions how to solve this anyway.
The best time to do it is at system design time, not after the fact on a
production server or set of servers...
With as many subsystems as you list, I'd suggest an LDAP authentication
database, then PAM and all other subsystem can use that for auth instead
of their own little independent auth systems. If you wanted a nice
business-grade LDAP setup, Fedora Directory Server (now renamed to 389
Directory server for some reason) is one possibility, though maybe
overkill for the scale we are looking at here. See
> Bugs database
> News database
This (the RSS feed at http://crosswire.org/news.rss.jsp ) seems to be
stuck in 2008? SWORD 1.6.0 isn't even announced in it... seems wrong.
I'm not sure what backend it uses, so I can't comment on how/whether it
can use LDAP for auth. What is the application concerned?
LDAP is supported only in the "Enterprise Edition" :( This could be a
sticking point, unless Crosswire has an "Enterprise" licence for this
software, or some third party has added LDAP support to the free version.
> Shell access
PAM can query LDAP, so no problem there.
> SVN access
I doubt SVN has an independent set of users and passwords? If it uses
normal unix users and getpwent() and friends, then PAM hooked to LDAP
will work fine.
> Community website
I can't find a link to a separate "community web site" from the
crosswire.org front page... what and where is this?
> Website translators
> SwordWeb translators
What apps that have separate auth databases are we talking about here?
I can't find links to these from the crosswire.org front page, either.
> Tomcat various admin functions
If you can provide application names for any of the subsystems you
listed that I didn't find, I can then try to check whether LDAP will
work for them without major hacking, too.
More information about the sword-devel