Your SlideShare is downloading. ×
Plone and Single-Sign On Active Directory and the Holy Grail           Matt Hamilton
Who am I?• Working with Plone/Zope since 1999• Director at Netsight in the UK• Worked on a number of projects doing  authe...
What are we trying to        do?• Allow uses to be automatically logged in to  a website without having to type in their  ...
Kerberos• Developed by MIT many many years ago• Used in Unix.... but also used on Windows,  OSX, Linux• Based on authentic...
Other approaches• Apache in front of Plone - mod_kerberos - mod_ntlm - mod_authtkt / mod_pubcookie• Plone on IIS - Enfold ...
Why do it in Plone?• Ultimate control over if/when to require  authentication from a user• Fallback to other authenticatio...
netsight.windowsauthplugin• Runs on either Windows or Unix/Linux/  OSX• Windows: Uses Windows’ internal SSPI API• Unix: Us...
[buildout]...eggs =  ...  netsight.windowsauthplugin                               Plone Open Garden 2013
Recent Use-case• Two departments of National Health  Service are merging• ...but their IT systems are still separate• Two ...
Recent Use-case• Half the users in one domain, half in the  other• Both need to be automatically  authenticated to a singl...
Plone Open Garden 2013
How does Kerberos work?                  Plone Open Garden 2013
How does Kerberos work?                  Plone Open Garden 2013
How does Kerberos work?                  Plone Open Garden 2013
Demo       Plone Open Garden 2013
Questions?• Matt Hamilton• matth@netsight.co.uk• @hammertoe• https://github.com/netsight/  netsight.windowsauthplugin     ...
Plone and Single-Sign On - Active Directory and the Holy Grail
Plone and Single-Sign On - Active Directory and the Holy Grail
Upcoming SlideShare
Loading in...5
×

Plone and Single-Sign On - Active Directory and the Holy Grail

3,583

Published on

These are the slides of a talk I gave on Single Sign On in Plone via Active Directory using netsight.windowsauthplugin

2 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,583
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
17
Comments
2
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "Plone and Single-Sign On - Active Directory and the Holy Grail"

  1. 1. Plone and Single-Sign On Active Directory and the Holy Grail Matt Hamilton
  2. 2. Who am I?• Working with Plone/Zope since 1999• Director at Netsight in the UK• Worked on a number of projects doing authentication over the years Plone Open Garden 2013
  3. 3. What are we trying to do?• Allow uses to be automatically logged in to a website without having to type in their username/password Plone Open Garden 2013
  4. 4. Kerberos• Developed by MIT many many years ago• Used in Unix.... but also used on Windows, OSX, Linux• Based on authentication ‘tickets’ Plone Open Garden 2013
  5. 5. Other approaches• Apache in front of Plone - mod_kerberos - mod_ntlm - mod_authtkt / mod_pubcookie• Plone on IIS - Enfold proxy - IISAPI Plone Open Garden 2013
  6. 6. Why do it in Plone?• Ultimate control over if/when to require authentication from a user• Fallback to other authentication methods• Mix of user sources Plone Open Garden 2013
  7. 7. netsight.windowsauthplugin• Runs on either Windows or Unix/Linux/ OSX• Windows: Uses Windows’ internal SSPI API• Unix: Uses MIT Kerberos libraries Plone Open Garden 2013
  8. 8. [buildout]...eggs = ... netsight.windowsauthplugin Plone Open Garden 2013
  9. 9. Recent Use-case• Two departments of National Health Service are merging• ...but their IT systems are still separate• Two different Active Directory domains: CFH and IC Plone Open Garden 2013
  10. 10. Recent Use-case• Half the users in one domain, half in the other• Both need to be automatically authenticated to a single, common intranet• Need to allow fallback to manual username/password Plone Open Garden 2013
  11. 11. Plone Open Garden 2013
  12. 12. How does Kerberos work? Plone Open Garden 2013
  13. 13. How does Kerberos work? Plone Open Garden 2013
  14. 14. How does Kerberos work? Plone Open Garden 2013
  15. 15. Demo Plone Open Garden 2013
  16. 16. Complex Setups Plone Open Garden 2013
  17. 17. Member Properties• Get data from Active Directory via LDAP• Use plone.app.ldap• Can use OpenLDAP as a proxy server - Increased reliability - Combine multiple LDAP/AD servers - Caching Plone Open Garden 2013
  18. 18. Questions?• Matt Hamilton• matth@netsight.co.uk• @hammertoe• https://github.com/netsight/ netsight.windowsauthplugin Plone Open Garden 2013

×