5

I have a server running two web applications: Gerrit and Mantis BT. Now, these applications connect to an LDAP server to authenticate users and it works fine. But the user has to authenticate for each application; I would like to allow the user to authenticate only once (possibly using Apache+LDAP) and reuse the credentials to automatically login the user in both applications.

My network architecture now:

diagram of network architecture I have now

The network architecture I want:

diagram of network architecture I want

I don't even know what to look for on Google as I am not familiar with HTTP authentication and server administration in general. Any solution or pointers toward what I want would be appreciated.

Configuration:
Ubuntu server 14.04 LTS
Apache2 2.4
Gerrit 2.10
Mantis BT 1.2.19

Important notes:
I want to keep Gerrit.
I can use another bug tracker if it does what I want easily.

Julien-L
  • 151
  • 1
  • 4

3 Answers3

4

There are several standards for web SSO. LDAP is not an SSO mechanism, just information lookup. Reach out to your vendors to find out if these applications support Kerberos (Apache uses mod_auth_kerb) or SAML (such as Shibboleth). Each will require some infrastructure, such as Active Directory, FreeIPA, Shibboleth, Oracle Identity Federation, etc.

DTK
  • 1,688
  • 10
  • 15
2

I would suggest using Kerberos/GSSAPI authentication if you want single sign on for your applications. With an Identity Management server with centralized storage for your users and groups, you can hook your Apache web applications, gerrit or Redmine. For the IdM server, you can use FreeIPA project which comes for free and is open source.

Martin Kosek
  • 386
  • 1
  • 3
1

In your case, it would also make sense to use Univention Corporate Server (UCS), because it includes a SSO mechanism via SAML 2.0 since the latest release (UCS 4.1). More about that in the UCS manual. The user data you need to manage is stored and administrated in openLDAP, which is also included in UCS.

In case you test UCS, which you can download for free from Univention's website, and its SSO feature, your application must only be configured to use UCS as the IdP. For this, check again the UCS manual.

Since UCS is also based on Debian, your Ubuntu clients could easily be integrated into the UCS domain. More details on this again in the UCS manual. The LDAP integration is managed via SSSD.