plone and single-sign on - active directory and the holy grail

Plone and Single-Sign On

Matt Hamilton

Active Directory and the Holy Grail

Plone Open Garden 2013

Who am I?

• Working with Plone/Zope since 1999

• Director at Netsight in the UK

• Worked on a number of projects doing authentication over the years


What are we trying to do?

• Allow uses to be automatically logged in to a website without having to type in their username/password


Kerberos

• Developed by MIT many many years ago

• Used in Unix.... but also used on Windows, OSX, Linux

• Based on authentication ‘tickets’


Other approaches• Apache in front of Plone

- mod_kerberos

- mod_ntlm

- mod_authtkt / mod_pubcookie

• Plone on IIS

- Enfold proxy

- IISAPI


Why do it in Plone?

• Ultimate control over if/when to require authentication from a user

• Fallback to other authentication methods

• Mix of user sources


netsight.windowsauthplugin

• Runs on either Windows or Unix/Linux/OSX

• Windows: Uses Windows’ internal SSPI API

• Unix: Uses MIT Kerberos libraries


[buildout]...

eggs = ... netsight.windowsauthplugin


Recent Use-case

• Two departments of National Health Service are merging

• ...but their IT systems are still separate

• Two different Active Directory domains: CFH and IC


Recent Use-case• Half the users in one domain, half in the

other

• Both need to be automatically authenticated to a single, common intranet

• Need to allow fallback to manual username/password


How does Kerberos work?


Demo


Complex Setups


Member Properties

• Get data from Active Directory via LDAP

• Use plone.app.ldap

• Can use OpenLDAP as a proxy server

- Increased reliability

- Combine multiple LDAP/AD servers

- Caching


Questions?

• Matt Hamilton

• [email protected]

• @hammertoe

• https://github.com/netsight/netsight.windowsauthplugin

mailto:[email protected]

mailto:[email protected]

https://github.com/netsight/netsight.windowsauthplugin




plone and single-sign on - active directory and the holy grail

Documents