Single sign on with Apache and LDAP

Solution 1:

There are several standards for web SSO. LDAP is not an SSO mechanism, just information lookup. Reach out to your vendors to find out if these applications support Kerberos (Apache uses mod_auth_kerb) or SAML (such as Shibboleth). Each will require some infrastructure, such as Active Directory, FreeIPA, Shibboleth, Oracle Identity Federation, etc.

Solution 2:

I would suggest using Kerberos/GSSAPI authentication if you want single sign on for your applications. With an Identity Management server with centralized storage for your users and groups, you can hook your Apache web applications, gerrit or Redmine. For the IdM server, you can use FreeIPA project which comes for free and is open source.

Solution 3:

In your case, it would also make sense to use Univention Corporate Server (UCS), because it includes a SSO mechanism via SAML 2.0 since the latest release (UCS 4.1). More about that in the UCS manual. The user data you need to manage is stored and administrated in openLDAP, which is also included in UCS.

In case you test UCS, which you can download for free from Univention's website, and its SSO feature, your application must only be configured to use UCS as the IdP. For this, check again the UCS manual.

Since UCS is also based on Debian, your Ubuntu clients could easily be integrated into the UCS domain. More details on this again in the UCS manual. The LDAP integration is managed via SSSD.