Mailinglist Archive: opensuse-project (502 mails)

< Previous Next >
Re: [opensuse-project] Engineering behind closed doors (was: iChain or iPain?)
On Wed, Apr 20, 2011 at 09:23:38PM +0200, Pascal Bleser wrote:
In this particular case, I'm not arguing about
mod_auth_memcookie, I'm arguing about
1) the initiative to replace ichain (which is awesome),
2) the brainstorming about what alternative SSO solution to use
(and what you've picked seems like a good idea),
3) the decision on which solution to implement,
have all happened behind closed doors.

Getting rid of iChain was a mostly political issue. There's
a Novell security guideline that says that:
- user passwords mustn't reach application servers
- the server certs mustn't be stored on application servers.
That's basically what iChain does, it's a black box that does
the authentification and acts like a proxy. Problem being the
"black", there's no way for us to see what's going on in
iChain.

So when we saw that iChain started to have problems some
weeks ago and there was no fix in sight we did some phone
calls and got permission to replace it with something that
also conforms to the guideline. So it had to be a proxy
again, and nothing in the application servers was to be
changed (i.e. no architectural changes).

We went with the most lightweight solution we found, thus
using the existing mod_authmemcookie as session management
and mod_ldap as auth mechanism. It had to be:
- proven technology, or
- as few lines of code as possible, so that our security
guys can to a fast security audit

So no new big SSO framework or architectual changes for now.

Cheers,
Michael.

--
Michael Schroeder mls@xxxxxxx
SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-project+help@xxxxxxxxxxxx

< Previous Next >