0

My problem is, I have a number of prepackaged web apps (a print system, a wiki, a bug tracker, an email archive, etc.) running on different Mac OS X Leopard (soon to be SL) servers that each need to authenticate users from the internet at large. Right now every server presents an Apache basic authentication prompt, which takes a shared login, but it's apparently enough of an inconvenience to log in repeatedly that people are sending email without checking the wiki or bug tracker or archive. In the case of the bug tracker, a user [might need to log in twice---once for apache if he hasn't used any other protected service on that server, once for the bug tracker itself so it can distinguish different people.

Since the only common component to all these apps is Apache 2 itself, does it have any way of authenticating a user once, in some way that will be respected by other servers and various web apps?

Looked at How is session stickiness achieved across multiple web servers? but it sounds like the answer is assuming that I get to write my own web app.

Looked at Ian Bicking's blog but it's four years old and recommends something available only for apache 1.3, not apache 2.

Sorry not to hyperlink the second site---apparently I need 10 reputation points.

Edit: Shibboleth does what I need, but I should have specified that I'm looking for a really dumb, really simple solution for in-house services that need to handle all of a dozen users, probably not more than three at a time.

Wang
  • 226
  • 1
  • 5

3 Answers3

1

Look into shibboleth http://shibboleth.internet2.edu/

Recursion
  • 609
  • 2
  • 7
  • 19
0

I've just tackled this problem myself [Link] . It's pretty easy to set up a Kerberos server, compile the mod_auth_kerb module and configure the Apache webserver.

Note that I've only tried single sign on with Firefox in Linux, as I currently do not have an Acive Directory linked to the Kerberos server. That is my next step, though. :)

Beerdude26
  • 101
  • 1
  • 7
0

Kerberos would do what you want (and more). You would have to run a kerberos service though, but that isn't that hard. Kereros tools are usually already installed on client devices too.