[TYPO3-english] ​typo3 - saml 2.0 - cas-server - ldap - active directory

Kay Strobach typo3 at kay-strobach.de
Tue Jan 24 20:25:53 CET 2012


PS: I have sso adapters for:

 - TYPO3 FE / BE
 - tine20.org
 - mediawiki
 - mantisbt
 - knowledgetree
 - phplist
 - ...

regards
Kay

Am 24.01.2012 20:07, schrieb Kay Strobach:
> Hi,
> 
> please take a look on eu_ldap and single-signon.com these extensions
> should to the trick. - It's not exactly how you specified it, but it's
> perfectly working for me in similar environments.
> 
> Regards
> Kay
> 
> 
> 
> Am 24.01.2012 20:02, schrieb patrick at bierans.de:
>>
>> Hello list!
>>
>> If my english sounds weird: It's not my native tongue - bear with me
>> please.
>>
>> This one is an advanced setup question. I hope some real hackers are
>> reading
>> this. :) If you do not understand the basics of my question please don't
>> ask
>> me to explain it. No offence, I'm just short on time. But feel free to read
>> on
>> and follow this topic and learn on your own. ;)
>>
>> I've spent a lot of time reading tons of stuff about software and protocols
>> (boss alread got picky a week ago ^^) but even my hottest candidates for
>> now
>> (simpleSAMLphp and ig_ldap_sso_auth) are not really convincing me yet.
>>
>> So I want to ask you!
>>
>> In short:
>>
>> Multiple typo3 should auth against active directory.
>> To support SSO I want a CAS-server (with tickets) in between.
>> The communication should be server side for better protection.
>> Groups in active directory define access rights in typo3.
>> Security and stability must be extreme high. No DOS.
>> How?
>>
>> In long:
>>
>> I want multiple typo3 installations running latest 4.6 to talk in shib 1.3
>> or saml 2.0 with a php based cas-server which then talks ldap to an active
>> directory on latest windows server 2008 which holds account details and
>> group
>> assignments reflecting the roles/rights the user will have inside typo3.
>> So typo3 will assign AD-groups to typo3-usergroups. This has to work for
>> frontend-users and backend-users.
>>
>> I have two more mirrors of the AD to be added to the CAS-server and I want
>> to add another CAS-server so I have enough redundancy to eliminate some
>> single-point-of-failures. DDOS-resistant typo3 sites - haha - that's of
>> lower
>> importance for now.
>>
>> The communication typo3 <-> cas-server should run server side on local
>> ip range which would require CURL or something alike. All servers are in
>> the
>> same rack. So some header redirects send to the browser are to be avoided.
>>
>> The communication cas-server <-> ldap should use local range ips too. So
>> that
>> the really important systems are not accessible from the "evil" outside.
>>
>> The servers run the latest php5 with Suhosin and the latest debian squeeze.
>> All servers are VMs running on bold hardware under Xen. Webservers are
>> latest
>> apache2 behind an nginx; sometimes supported by lighttpd for static files.
>> All servers are in the same room or have local ip tunnels in between.
>>
>> Ah! And I almost forgot: I have an OTRS to be connected to the CAS-server
>> too. For now I ignore that and hope to get that solved later.
>>
>> Has anybody done that already for real?
>> Which typo3 plugin can do that with multiple CAS-servers - and server side?
>> Which CAS-server software would you use - and can it access multiple ADs?
>>
>> Give me hard questions or good answers!
>> I have to kick it hard. So kick me. ;)
>>
>> Let's have some fun!
>> Patrick
>>
>> PS: You know somebody who can take this?
>> Please forward it to him as a challenge! ;)
> 
> 


-- 
http://www.kay-strobach.de - Open Source Rocks

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

Answere was usefull: https://flattr.com/profile/kaystrobach


More information about the TYPO3-english mailing list