cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Groups and other variables?
On Wed, 2 Mar 2005, Brian Hatch wrote:
> Is there any facility in Cosign to allow you to 'store' other
> information aside from the REMOTE_USER when the filter does it's
> thing? These would be set in other env variables, and preferably
> be available for permissions descisions like 'require-group'
> without too much hoop jumping.
I'm not on the cosign development team, but I'm curious --
what other information aside from REMOTE_USER and REMOTE_REALM
are you looking for?
I run several cosign-enabled web servers, and use require-group
all the time. I use both DBM and LDAP groups. mod_auth_dbm
for Apache uses the user information provided by cosign to do
the group lookup. I also write a large number of Perl CGIs
that use the REMOTE_USER environment variable to do their
own group checks via LDAP and other means.
cosign's job is authentication. Authorization is a separate
task that takes place outside of cosign after authentication
occurs. Authorization is usually handled the same way you
handle authorization when using any other form of authentication
other than cosign.
LS&A Information Technology
The University of Michigan