[TYPO3-english] ​typo3 - saml 2.0 - cas-server - ldap - active directory

[Kay Strobach]

Hi,

please take a look on eu_ldap and single-signon.com these extensions
should to the trick. - It's not exactly how you specified it, but it's
perfectly working for me in similar environments.

Regards
Kay



Am 24.01.2012 20:02, schrieb patrick at bierans.de:
> 
> Hello list!
> 
> If my english sounds weird: It's not my native tongue - bear with me
> please.
> 
> This one is an advanced setup question. I hope some real hackers are
> reading
> this. :) If you do not understand the basics of my question please don't
> ask
> me to explain it. No offence, I'm just short on time. But feel free to read
> on
> and follow this topic and learn on your own. ;)
> 
> I've spent a lot of time reading tons of stuff about software and protocols
> (boss alread got picky a week ago ^^) but even my hottest candidates for
> now
> (simpleSAMLphp and ig_ldap_sso_auth) are not really convincing me yet.
> 
> So I want to ask you!
> 
> In short:
> 
> Multiple typo3 should auth against active directory.
> To support SSO I want a CAS-server (with tickets) in between.
> The communication should be server side for better protection.
> Groups in active directory define access rights in typo3.
> Security and stability must be extreme high. No DOS.
> How?
> 
> In long:
> 
> I want multiple typo3 installations running latest 4.6 to talk in shib 1.3
> or saml 2.0 with a php based cas-server which then talks ldap to an active
> directory on latest windows server 2008 which holds account details and
> group
> assignments reflecting the roles/rights the user will have inside typo3.
> So typo3 will assign AD-groups to typo3-usergroups. This has to work for
> frontend-users and backend-users.
> 
> I have two more mirrors of the AD to be added to the CAS-server and I want
> to add another CAS-server so I have enough redundancy to eliminate some
> single-point-of-failures. DDOS-resistant typo3 sites - haha - that's of
> lower
> importance for now.
> 
> The communication typo3 <-> cas-server should run server side on local
> ip range which would require CURL or something alike. All servers are in
> the
> same rack. So some header redirects send to the browser are to be avoided.
> 
> The communication cas-server <-> ldap should use local range ips too. So
> that
> the really important systems are not accessible from the "evil" outside.
> 
> The servers run the latest php5 with Suhosin and the latest debian squeeze.
> All servers are VMs running on bold hardware under Xen. Webservers are
> latest
> apache2 behind an nginx; sometimes supported by lighttpd for static files.
> All servers are in the same room or have local ip tunnels in between.
> 
> Ah! And I almost forgot: I have an OTRS to be connected to the CAS-server
> too. For now I ignore that and hope to get that solved later.
> 
> Has anybody done that already for real?
> Which typo3 plugin can do that with multiple CAS-servers - and server side?
> Which CAS-server software would you use - and can it access multiple ADs?
> 
> Give me hard questions or good answers!
> I have to kick it hard. So kick me. ;)
> 
> Let's have some fun!
> Patrick
> 
> PS: You know somebody who can take this?
> Please forward it to him as a challenge! ;)


-- 
http://www.kay-strobach.de - Open Source Rocks

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

Answere was usefull: https://flattr.com/profile/kaystrobach