For several months I've been searching for a complete solution that can offer access control, authentication, integrated search indexing of all content and content management itself for a company intranet that can dispense the following to our internal users:
- Training videos, shared contacts, job aid resources and content management
- A PHP based web front end to access our databases of clients, cases, task management, etc.
We're running Leopard Server, Kerberos, LDAP and all that other fun stuff. But we also are a mixed platform environment with remote branch offices running isolated windows domain workgroups, accessing our intranet from across a VPN. (not my doing)
The problem that I'm having is that I cannot find any one great solution, application or API that can integrate our intranet with our LDAP on Leopard Server for authentication on a remote intranet proxy. I don't just want to rely on creating a secured realm, I want something smarter. I also want this solution to be as simple as possible from the end user's perspective and do things like allow local unauthenticated (or kerberos) access from workstations on our LAN or workstations on our site to site VPN, that traffic is trusted and should be able to totally bypass authentication or at least allow authentication to happen in the background.
Maybe I'm asking for too much in search of a solution but I don't want to make our users re-signon when they want to switch from our database front end to view training materials, or to access webmail, or view the collaboration wiki content. I also don't want users to have to rely on 5 different methods of searching our intranet to find what they're looking for as well.
I figure that for what I want to do, I will have to:
- Come up with a custom spotlight search API for Apache, that will not only singularly index web content, but integrate database content as well.
- Figure out how to modify apache to openly serve the site to trusted internal IP addresses or use WebDAV with kerberos single sign-on.
- Come up with a public web proxy where remote users can authenticate with their LDAP credentials and then access the intranet from remote locations.
So if anybody has a suggestion to accomplish any of this on Leopard Server, or knows of a great resource on how to do any of the following, like: modify the spotlight search plugin for apache, integrate LDAP authentication within a web page, modify apache to only allow certain IP addresses to access a site, use one authentication session ID to access other secured sites, view PDF, word, excel files on a shared volume through a web front end or how to create a remote sign-on proxy. If you have any thoughts on this or know something that would help, let me know.
by 
I completely agree with you that there isn’t a one-stop-shopping good solution. I explored this back under 10.5 Server and while the wiki/blog that is provided by Apple is fine, it falls short of being a good solution. I’ll definitely be watching this thread for any advice others may have.
—
Brian Garrett
[email protected]
I have no complete “how-to” for all of that, but :
for your proxy needs, you can compile squid 3.0 and bind it to your LDAP.
it’s straight forward.
for Apache to serve only trusted IP addresses, it’s simple too. you just have ton modify httpd.conf and add your addresses like :
#
# Controls who can get stuff from this server.
#
Order deny,allow
Deny from all
Allow from 192.168.12 # reseau local admin
Allow from 192.168.10 # reseau local intranet
I think you might be interested in Joomla.
It has an API for basic LDAP authentication, but, it also has Kerberos support.
Joomla Kerberos
Sam is one of the core developers for Joomla, and will be giving a talk on Joomla security here in Melbourne at our Melbourne JoomlaDay 2010 Conference.
Cheers,
Raoul.
In 10.5 we used the built in wiki server, but it was annoying that the user had to switch between different groups to see if anything had changed.
In 10.6 this is improved, so when a user logs in, he can see a list of whats new in a selected list of the groups. Each user can customize which groups he wants to see news for.
I think the wiki server in 10.6 should be looked at. It’s also improved in configuration.
Wouldn’t the Mobile Access Server service in Snow Leopard Server deliver what you are looking for in respect of the secure LDAP integrated remote access needs you are describing?
any consideration of a product like Drupal? runs great on my Snow Leopard Server. had some issues with gd-library support (for resizing images), but nothing that couldn’t be overcome.
Drupal has a (few?) modules that add LDAP integration, even uses LDAP groups.
I know for a fact that it’s capable of handling many different media types, group sharing, etc. Not exactly a piece of cake to set up, but easy enough that you could try it out.
http://drupal.org/
http://drupal.org/project/ldap_integration
—
– DMP
NETWORK + certified professional, ACSP, ACTC
Why not plone? You can tie it into your LDAP setup and pass the authentication off to apache. It runs great in 10.5 and 10.6.
After half a year, I would like to know, if mactastic has made a decision on the intranet solution. Would be cool to hear about experiences and – if possible – any reasons for the decision made…
We have implemented a basic setup with;
• Joomla for CMS, we have a splash page similar apple.com/startpage – where all the latest news and useful intranet links are.
• vtiger for basic ERP and CRM
• DocMGR for document control
• Moodle for learning, tutorials and internal kb.
They are all advertised via Bonjour in the Browser Bar (Safari or Firefox) – configured via virtualhostx and DNS.
They all have LDAP support – not perfect but workable.
Re: Come up with a public web proxy where remote users can authenticate with their LDAP credentials and then access the intranet from remote locations.
We use the Netgear SSL312, it has a fugly gui, but is functional for providing external secure access to the intranet, as well as split tunnel VPN if needed.
Forgot to mention the project planning part.
You can have either ProjectFork for Joomla or a module for vtiger – both functional but no import/export for MS Project, so we use Merlin Server – but it is pricey.
Hello there I need some guidance I been trying to add a Mac OS x Server Mini on a windows 03 server environment since I am in a very mix environment and we are deploying a new computer lab all iMacs been trying to have domain authentication and centralize log-in just like I have on the PC side I have not been successful (I am not much of a mac expert) been looking for a guide no luck can someone direct me please??????
Hope this video tutorial will throw some light on th issue in question – Mac-os-x-server-remote-installation
I cannot even post on this site. Your spam detection sucks. This is ridiculous. I just wrote a paragraph about an issue I am having and its detecting it as spam.
Hi There:
I am new to the OS X Server and I need to provide Mail for 5 Domains, it needs to be separate and do not get mix.
Will some one give a hand.
I thank You in advance for your Time