cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cosign and kerberos
On 30 Sep 2005, at 20:21, Goldrick, Jim wrote:
Something else I was thinking about and forgot to ask (my son was
bugging me to take him somewhere).
Anyway, is the REMOTE_REALM env variable set by cosign the kerberos
If you only use Kerberos, then yes. If you're using the Cosign
Friend guest account extension, then the realm is "FRIEND". If
you're using the x.509 extensions, then you can arbitrarily configure
the realm, on a <cert, ca> tuple basis.
If so, would it be extremely difficult to modify the filter to do
some authz by putting in a
directive into the directory section of the apache conf files? How
about a separate module?
I think you can do this with mod_setenvif and mod_access:
SetEnvIf REMOTE_REALM "\.REALM1.EDUf$" realm_is_realm1_edu
Deny from all
Allow from env=realm_is_realm1_edu
Not that I've tried this specific combination. :)