SingleSignOnInstaller

Background

Directory Services are a vital, core component of most modern IT setups. Most commonly Directory Services are implemented using Microsoft's Active Directory (AD).

Bearing in mind these factors, the ability to easily (bearing in mind AD is gui driven) connect desktops to a single sign on system such as this would help promote Ubuntu usage within the enterprise IT environment.

Some distributions - Fedora for instance allow the user to specify an LDAP server for single signup during the install process.

Suggested Feature Specification

1) Integrate an option into the install process allowing the user to specify an LDAP server to authenticate against for single sign on. This should be possible without the need for users to edit configuration files.

2) Integrate an program into the desktop system allowing the user to change and or create new LDAP settings using a GUI interface without editing configuration files.

Discussion

OlivierS: you're mixing up Single Sign On (which requires Kerberos, Aselect or similar technologies) with directory authentication. Just having the same username/password everywhere is not yet single sign on. Single sign on means that you log on to your desktop, and all other services on the corporate network (Intranet websites, SAP, file servers) know who you are and do not ask for a password anymore. Directory authentication is the first step, but Kerberos is also required. Microsoft Active Directory does both: It has an ldap directory and it is a Kerberos REALM. In many large active directory installs it is possible to automatically detect the availability of these servers with a DNS query.

Warbo: As a home user I don't even know what this is, and nervous new users who may be just about to mess around with their partition of precious home movies, etc. may stop the entire process to be on the safe side if they are asked about something they have no idea about. If it was adequately explained then it would take up a large amount of space on the screen. Basically I am saying that the installer should kept as simple as possible. This functionality can be added easily after installation, or maybe an office specific derivative like Obuntu can put it in its installer, and if a massive load of machines are going to be set up, making such a thing time consuming, then perhaps an image-based installer (that just dumps a preconfigured installation onto a disc) would be more appropriate. Remember, GNOME tries to follow KISS (Keep It Simple, Stupid!) Smile :)

AndrewMitchell: This is already substantially implemented in the FeistyNetworkAuthentication spec, aside from the installer part (which would be mainly integrating the main configuration app)

ChrisRowson: @ Andrew I must have missed your spec! I've marked the SingleSignOnInstaller spec superceded by yours!

ray73864: I have to say, i think this is an excellent idea, all you have to do in my mind is ask the user if they are installing it in a 'Home' or 'Business' environment, if the user selects 'Business' then you can do the whole asking them if they have an LDAP server and if so how to access it. One of the biggest things that Linux has been lacking is good integration with AD, or better yet, an AD of its own that is just as good as Microsofts AD (Novell's eDirectory just doesn't cut it, since it ends up costing you more per user than what Windows Server costs)

BasHekking: It would be great if you could choose how to login in the login window. I would like to see a login screen where you could fill in username, password and ldap server. In the ldap server dropdownlist you can select one of the configured ldap servers, or -none-, which means you login locally.

SingleSignOnInstaller (last edited 2008-08-06 16:28:19 by localhost)