On Wed, Apr 20, 2011 at 09:23:38PM +0200, Pascal Bleser wrote:
In this particular case, I'm not arguing about mod_auth_memcookie, I'm arguing about 1) the initiative to replace ichain (which is awesome), 2) the brainstorming about what alternative SSO solution to use (and what you've picked seems like a good idea), 3) the decision on which solution to implement, have all happened behind closed doors.
Getting rid of iChain was a mostly political issue. There's a Novell security guideline that says that: - user passwords mustn't reach application servers - the server certs mustn't be stored on application servers. That's basically what iChain does, it's a black box that does the authentification and acts like a proxy. Problem being the "black", there's no way for us to see what's going on in iChain. So when we saw that iChain started to have problems some weeks ago and there was no fix in sight we did some phone calls and got permission to replace it with something that also conforms to the guideline. So it had to be a proxy again, and nothing in the application servers was to be changed (i.e. no architectural changes). We went with the most lightweight solution we found, thus using the existing mod_authmemcookie as session management and mod_ldap as auth mechanism. It had to be: - proven technology, or - as few lines of code as possible, so that our security guys can to a fast security audit So no new big SSO framework or architectual changes for now. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org