	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign with multiple kerberos realms

To: Ben Poliakoff <benp@xxxxxxxx>
Subject: Re: cosign with multiple kerberos realms
From: Phil Pishioneri <pgp@xxxxxxx>
Date: Thu, 10 Mar 2005 21:09:47 -0500
Cc: cosign-discuss@xxxxxxxxx
In-reply-to: <20050310194743.GQ3816@tristero.reed.edu>
References: <20050310194743.GQ3816@tristero.reed.edu>
User-agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)

On 3/10/05 2:47 PM, Ben Poliakoff wrote:

I haven't been able to find much info about how cosign might be able to work with multiple krb5 realms. ... Has such functionality (login page featuring a drop down menu of realms) ever been implemented?

We're implementing multiple realm support, though not quite in that fashion. (Actually, I have a test server running early code right now, but need to rework it for distribution and newer features coming up in the next CoSign.)

We have two realms: the usual students+faculty+staff+etc one (Access Accounts), plus a "Friends of Penn State" (FPS) realm. There isn't any name collision between the two (in fact, accounts can move between them: when an applicant becomes a student, FPS->Access, when a student graduates, Access->FPS), which simplified our design.

Rather than have a drop-down and/or support "princ@realm" entries (most people don't know the actual realm anyway), we're leaving the login page as-is. The cgi tries to authenticate against the Access realm first, and if that fails, tries the FPS one. The matching K5 realm is set in the REMOTE_REALM.

-Phil

References:
- cosign with multiple kerberos realms
  - From: Ben Poliakoff

Prev by Date: Re: UMich Webmail and IMAP question
Next by Date: Re: cosign with multiple kerberos realms
Previous by thread: Re: cosign with multiple kerberos realms
Next by thread: new jcosign service produces error message at authn
Index(es):
- Date
- Thread