I've been trying to research the myriad options for web content
filtering and monitoring. Although I've found some that seem to support
some kind of LDAP integration, my focus has now moved to address the
question of how such a solution would be presented to end users.
Windows-based filters offer "single sign on" for users authenticating
against Active Directory, but most of the LDAP-aware solutions stop
short of allowing the same for Macs. Even those offering Mac integration
imply that the user will log in once to the Mac server to get access to
their workspace (home folder, dock, etc) and then have to do it AGAIN
when they first open up Safari/Firefox/whatever by way of a html form
before they can surf. This is *not* what we would prefer.
So, my question is: what's involved for a user account in a managed OS-X
environment (that is, usernames, home folders, environment preferences
etc all being drawn from OS-X server 10.3 and it's OpenLDAP based
system) to be able to pass a "token" (for want of a better phrase) to an
outside service (like an authenticating web proxy) so that the user only
has to type in a login and password ONCE per session. We want to be able
to implement a web filter/monitoring system that is as transparent to
users as is possible. We run Mac and Windows clients, but this is far
more important for the Mac side.
There's no point me searching endlessly for a solution if there is some
fundamental limitation in the implementation of OS-X or LDAP that means
this can't be done. People talk about "Kerberos" as a technology for
doing such things, but I wouldn't know a Kerberos if it fell on me.
Can anyone educate me? Better still, does anyone know of a web filtering
solution that is Mac/OS-X Server friendly and offers this feature?
