CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign and kerberos

On 30 Sep 2005, at 20:21, Goldrick, Jim wrote:
Something else I was thinking about and forgot to ask (my son was bugging me to take him somewhere).

Anyway, is the REMOTE_REALM env variable set by cosign the kerberos realm?

If you only use Kerberos, then yes. If you're using the Cosign Friend guest account extension, then the realm is "FRIEND". If you're using the x.509 extensions, then you can arbitrarily configure the realm, on a <cert, ca> tuple basis.

If so, would it be extremely difficult to modify the filter to do some authz by putting in a

CosignRealm REALM1.EDU

directive into the directory section of the apache conf files? How about a separate module?

I think you can do this with mod_setenvif and mod_access:

Something like:

    SetEnvIf REMOTE_REALM "\.REALM1.EDUf$" realm_is_realm1_edu
    <Directory /docroot>
        Order Deny,Allow
        Deny from all
        Allow from env=realm_is_realm1_edu

Not that I've tried this specific combination. :)


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010