Can we build a sso solution by openLDAP onl开发者_Python百科y? or SSO need at least openLDAP + Kerberos (or something like?) If openLDAP is OK, how can we get the credential of current user to be authentication by other application through LDAP API? Is there any C++ api?
If by SSO you mean one password at the beginning of the day, and none until you leave, LDAP can't easily do that alone. It can help you consolidate passwords, so you only have to remember one (which is nice), but you still have to enter it repeatedly unless you do a lot of engineeering on top of that.
Kerberos can actually do SSO. The caveat in my opinion, is that applications need to support it specially to some degree.
As far as LDAP storing credentials for kerberos, I'm not sure that that's a win. I suspect it would have to store the credentials in cleartext in order to be compatible with kerberos (and it makes me nervous to have a service that is network accessible and contains cleartext passwords). It isn't clear to me how this is better than a kerberos database storing the password.
Hopefully this helps. Also, my experience with kerberos is from the sidelines; I've read _a_lot_ about it, but never actually used it.
精彩评论