The order of things - part 2 · Jul 7, 19:32 by Shannon Wynter

I work hard you know (anyone who knows me, knows I’m a work-a-holic) – as a coder (duh).

Part of a coders job is to do everything one can to make everyone elses life a little easier. Automate this, report on that, calculate this, etc…

Well twice in recent times at work, I’ve tried to take a few minutes out from making everyone elses life easier, and do something to help make mine a little more bearable.

Second attempt: I’ve come up with a brilliant new way to make my life easier (well, everyones really – but mine mostly).

Centralized authentication, and “Single Sign-on”.

As it turns out, you can’t really have one without the other. In an operation as large as ours there’s a huge number of programs and not all of them like to talk to other programs.

I’ve been working on porting our many many usernames and password storage facilities (be it text, passwd, or mysql) to a single LDAP structure containing a single username/password for the user and what they can access. The first facility ported to this was our helpdesk application, which turned out to be an easy enough task as it was so new that no-one noticed.

I’ve also been working on using mod_auth_tkt for web based single sign-on. This allows me to bind the username to the LDAP password regardless of the application and how much it feels like talking to other programs.

Then for those applications I can, I’ve been implementing the policy information normally maintained by the application directly into the LDAP tree.

What does this do to make my life easier?

• I don’t have to go through 40 machines to add/delete usernames and ssh keys for remote access.
• Everyones username and password is the same for everything (or as close to everything as I can possible make it) which means no more “what’s my password for this, what’s my password for that”
• If a member of staff leaves, or heaven forbid is fired, I don’t have to do a mad rush through all the systems and make sure they can’t get back in. I can simply pop into LDAP and do it.
• Stack loads more security as less chance of old passwords floating around.
• About 300 other things, I might put more in later.

What does this do to make everyone Else’s life easier?

• Hello?!? Single Sign-on people! No more logging into 50 web-apps to do a single task, log into one and you’re on your way.
• One convenient location to change your password – less chance of your passwords becoming desynced.
• I’m sure there’s more here also, but I’m getting tired.

This time I’m shut down because the admin wants some “reports” (really just a list of paid/unpaid invoices) altered so they can pick dates or individual invoices to improve their efficiency.

Meanwhile, I’m still getting bugged for ‘whats my x email password’, ‘whats my y password’, ‘I can’t remember my username for z’

Sure, upgrading everything is a BIG task and is bound to take me a couple of weeks, but I’m sure I would be far less irritable after it was completed…

So in summary: One stop shop for authentication and authorization for everything from the helpdesk logs through to ssh login to machines.

Result: Just getting to the part where I’m seeing results and the big gain to the ‘one’ (and little gain to all) is outweighed by the efficiency of the admin girls.

Passing thought: If they were using the shit like it was intended, and didn’t have 4 copies of everything (*everything* gets printed out and stored in a file against the user) – I’m sure it’d be much more efficient. Maybe they heard that I was intending to interface the LDAP to cracklib and enforce more secure passwords…

Back to Part 1 of ‘The order of things’

Comments