> Sorry if I'm jumping into the discussion a little late but
why are all
> these services authenticating against each other?
>
> For that matter why do we store any authentication details in the db?
>
> Why not setup a single central LDAP server and have everything
> authenticate against that, eg conductor, katello, candlepin, pulp, etc.
>
> This may just be my opinion but I feel we replicate way too much data w/
> aeolus, LDAP is meant for high performance authentication, and is simple
> to setup and use.
Yes but not all component really need authentication.
As long as it is an internal component it just needs a trusted
connection to a peer.
Thats fine, those components would be unaffected by all of this
If we are talking about externally facing components like Conductor
and
Katello there are always two options:
1) Use central auth store with SSO (that would be AD or IPA as pure LDAP
does not provide SSO) and perform operations using end user identity
when one component needs to talk to another
If we're just talking about the web interfaces couldn't we just use a
shared cookie or similar? Then when communicating between conductor /
katello on the backend, we just need to simply pass around the current
logged in user over a trusted connection, no need for auth between those
components.
2) Create a separate channel on a separate port. This connection
just
requires server to server trust. It can be OAuth, SSL, Kerberos or other
similar technology.
I don't have much experience w/ it, but OAuth seems to be quickly
becoming a standard for these matters. Perhaps supporting OAuth logins
into conductor and katello would be a good solution?
-Mo