cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cosign with multiple kerberos realms
On 3/10/05 2:47 PM, Ben Poliakoff wrote:
I haven't been able to find much info about how cosign might be able to
work with multiple krb5 realms.
Has such functionality (login page featuring a drop down menu of
realms) ever been implemented?
We're implementing multiple realm support, though not quite in that
fashion. (Actually, I have a test server running early code right now,
but need to rework it for distribution and newer features coming up in
the next CoSign.)
We have two realms: the usual students+faculty+staff+etc one (Access
Accounts), plus a "Friends of Penn State" (FPS) realm. There isn't any
name collision between the two (in fact, accounts can move between them:
when an applicant becomes a student, FPS->Access, when a student
graduates, Access->FPS), which simplified our design.
Rather than have a drop-down and/or support "princ@realm" entries (most
people don't know the actual realm anyway), we're leaving the login page
as-is. The cgi tries to authenticate against the Access realm first,
and if that fails, tries the FPS one. The matching K5 realm is set in