Re: Groups and other variables?

[Mark Montague <markmont@xxxxxxxxx>]

On Wed, 2 Mar 2005, Brian Hatch wrote:

> Is there any facility in Cosign to allow you to 'store' other
> information aside from the REMOTE_USER when the filter does it's
> thing?  These would be set in other env variables, and preferably
> be available for permissions descisions like 'require-group'
> without too much hoop jumping.

I'm not on the cosign development team, but I'm curious --
what other information aside from REMOTE_USER and REMOTE_REALM
are you looking for?

I run several cosign-enabled web servers, and use require-group
all the time.  I use both DBM and LDAP groups.  mod_auth_dbm
for Apache uses the user information provided by cosign to do
the group lookup.  I also write a large number of Perl CGIs
that use the REMOTE_USER environment variable to do their
own group checks via LDAP and other means.

cosign's job is authentication.  Authorization is a separate
task that takes place outside of cosign after authentication
occurs.  Authorization is usually handled the same way you
handle authorization when using any other form of authentication
other than cosign.

                Mark Montague
                LS&A Information Technology
                The University of Michigan
                markmont@xxxxxxxxx