Ok, I managed to get OpenID working with googles federated logins. The issue I’m seeing is this appears to only work over the web and not through the svn client. My guess is because the svn client doesn’t support cookies? Also the apache openid auth module isn’t the prettiest or easiest to use either. Implementing OpenID in PHP or python looks much nicer but doesn’t currently help me. I think it will be easy to implement wordpress with google as an identity provider but as far as shell access/svn I’m starting to hit a wall.
I thought I could just query the google servers via ldap but I can’t find any documentation on that. I have seen ldap syncing with google but it appears to be one way and with our ldap server as the identity provider and sync to google apps. I would rather sync the other way since we can easily delegate account management through google apps.
The pam-openid module has a project page but as far as I can tell no code. I think I can help somebody if they want to setup a website with single sign on but I think I’m going to have to get creative to figure out how to do more system specific account setup
If anybody happens to think of a good (possible) alternative let me know.
Via the web would be my guess. I think the solution I will need to do is use a library for OpenID. Python and Java seem to be the most complete. If I can write an app that can basically check to ensure you got the proper authenticated cookie from the right identity provider (in this case OUR google apps account and not just google or someone elses then return OK else return Access Denied. Once that piece is done I believe I could turn it into a PAM module, assuming I can have pam easily call an external app. I believe I can and I even think I may have done this before with a securid server but can’t remember. Once I have pam integration then I should be able to take any system service and have it differ it’s authentication to the local pam system.
It sounds difficult but hopefully it won’t be too bad. Once I have a small app and have done the work to figure out how to integrate it into pam then it should be easy to copy to other systems (like the hive13 fileserver). Unfortunately like TP said… this technology doesn’t actually exist yet…we need to write it. But with any luck this won’t be a big deal to invent. Then we’ll share how we did it on our wiki/blog, then ???, and finally profit.
I’m down with even using OpenLDAP the only reason I’m not going that way is because then we become the identity provider and we have to manage all of our account info on servers we control. Normally that’s what companies want but in our case it is easier to just have a server with the fun apps on it and the annoying apps like ID management, webmail, etc. can be handled by Google. The issue is that the sync process is one way.
<LDAP/AD> —> Google Apps
We can’t go other way around. If we could this would be an easy solution. Hell, if google apps even allowed ldap queries (or just the bind request) to google apps we would be done. Unfortunately that does not appear to be the case unless there is some hidden not as well documented feature of google apps to do this (also very possible)
If I have time tonight I’ll take a stab at a command line authentication app and see what happens.
then return OK else return Access Denied. Once that piece is done I believe I could turn it into a PAM module, assuming I can have pam easily call an external app. I believe I can and I even think I may have done this before with a securid server but can’t remember. Once I have pam integration then I should be able to take any system service and have it differ it’s authentication to the local pam system.