	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign with multiple kerberos realms

To: Ben Poliakoff <benp@xxxxxxxx>
Subject: Re: cosign with multiple kerberos realms
From: Brett Lomas <b.lomas@xxxxxxxxxxxxxx>
Date: Fri, 11 Mar 2005 10:57:59 +1300
Cc: cosign-discuss <cosign-discuss@xxxxxxxxx>
In-reply-to: <20050310214836.GR3816@tristero.reed.edu>
References: <20050310194743.GQ3816@tristero.reed.edu> <1110489339.3961.26.camel@brett.enarc.auckland.ac.nz> <20050310214836.GR3816@tristero.reed.edu>

Hey Ben,

I think from the CGI and cosign server this would be trivial.
But what about when i choose to auth against realm A and the webserver I
am going to know nothing about realm A. That is probably the hard part
about this setup

We here (University of Auckland) have one kerberos realm for the whole
unversity population (so kinda lucky in this regard :))

Brett

On Fri, 2005-03-11 at 10:48, Ben Poliakoff wrote:
> Thanks for the reply Brett,
> 
> The underlying krb5 layer should be relatively straight forward I
> would think, given that a krb5.conf file can hold info about lots of
> realms.  But I guess I was specifically wondering whether a single
> cosign weblogin server could be made to do initial authentication from a
> pool of user selectable realms (hence my reference to a drop down menu
> on the login page).  So there would be explicit control over the allowed
> realms (and the weblogin server would need to have service principals in
> its keytab file from all of the participating realms).  
> 
> To give a more specific example, we're toying with the idea of enabling
> cosign on some existing web apps that serve two distinct groups: users
> with current accounts and alums.  The two groups can't be merged due
> to namespace (principal name) collisions, but they could "coexist"
> within two distinct krb5 realms.  If our weblogin server could allow
> the user to select the realm to which to authenticate then we could
> use cosign auth for both groups of users.  Our web apps could readily
> distinguish the populations by reading the value of the CGI variable,
> "REMOTE_REALM".
> 
> Has this sort of thing been discussed before?  I know umich maintains
> a collection of different realms.....
> 
> Ben
> 
> * Brett Lomas <b.lomas@xxxxxxxxxxxxxx> [20050310 13:17]:
> > I don't believe it has.
> > 
> > Having said that most of the code will handle multiple realms already.
> > The only problem i could see with this how you handle an application
> > getting an incorrect kerberos ticket (in a realm it know nothing about).
> > e.g. a user chooses to authenticate to realm A and accesses web service
> > X which is part of realm B and get a kerberos ticket from the cosign
> > server for A. The possibly needs to be a mechanism for the webservers to
> > requests a ticket in a certain realm, and if not there get the user to
> > re-authenticate in that realm?? Unless you can build kerberos trust?
> > (not sure on this)
> > 
> > Brett
> > 
> > On Fri, 2005-03-11 at 08:47, Ben Poliakoff wrote:
> > > I haven't been able to find much info about how cosign might be able to
> > > work with multiple krb5 realms.
> > > 
> > > Has such functionality (login page featuring a drop down menu of
> > > realms) ever been implemented?
> > > 
> > > Ben

References:
- cosign with multiple kerberos realms
  - From: Ben Poliakoff
- Re: cosign with multiple kerberos realms
  - From: Brett Lomas
- Re: cosign with multiple kerberos realms
  - From: Ben Poliakoff

Prev by Date: Re: cosign with multiple kerberos realms
Next by Date: Re: UMich Webmail and IMAP question
Previous by thread: Re: cosign with multiple kerberos realms
Next by thread: Re: cosign with multiple kerberos realms
Index(es):
- Date
- Thread