First post here but I’m following the project already for some time because I’m interested to see if it can replace my current pGina integration.
First I’m going to explain my current setup, next I want to dream about how the ideal world will look like with Privacy Idea
The current setup:
I have a CentOS server with 389-DS ldap, mail and samba shares. The client PC’s all have Windows 10 installed. All clients also have pGina (https://github.com/MutonUfoAI/pgina) installed and connect to the ldap-server when a user wants to login. If the user is allowed, a login script is run to connect the different samba shares and user network home as network drives.
This setup worked quite well, but with Windows 10 things start to break because of the changes in the CP.
Dream with Privacy Idea …
First I don’t know a lot about Privacy Idea, so maybe I’m completely wrong. But this will give me the opportunity to think about the unthinkable
Because Windows is changing the CP it’s better to keep your own developped CP as minimum as possible. For pGina this means stripping off a lot of weight like UI and plugins, so the user connects first to a backend (hello Privacy Idea). This backend then does all the stuff needed and sends data back to the CP which then can act on it. So the idea here is to have a Windows CP which connects to Privacy Idea. Privacy Idea then checks the credentials etc. with 389-ds ldap (bit like http://mutonufoai.github.io/pgina/documentation/user.html#how_pgina_works) and then returns something. It would be very nice to have the possibility to execute a script or run a CP-plugin to connect the samba shares, maybe even create a Kerberos ticket, all on the client side. To think a a lot further maybe group policies can be added as well, so the client PC’s have the right policies applied.
I know, there is a Windows CP for Privacy Idea, but I don’t have any idea how it works right know and if it is possible to have something like my dream. Also you can say “We are not creating a Active Directory Server”. But please think a bit about it.
Also, this is not really about two-factor authentication, but just a very basic login. But two-factor should also be possible.