Re: cosign with multiple kerberos realms

[Wesley D Craig <wes@xxxxxxxxx>]

On 10 Mar 2005, at 16:48, Ben Poliakoff wrote:
> I know umich maintains
> a collection of different realms.....
Multiple realms was an initial requirement because of the multiple 
kerberos realms on campus.  Early versions didn't have support for 
multiple realms, since we were just concentrating on getting basic 
functionality working.  Once we had it working, we just never offered 
the admins of other realms the option to use the multi-realm support 
that was embedded in the protocol.  They never asked, so we never 
implemented it.
Certainly a drop-down on the login screen was how we envisioned it 
working.  The user selected realm would then be posted to the CGI, 
which would use it in the kerberos password check.  Once the account 
was verified, the realm would be passed on to cosignd and hence to all 
connecting filters.  Simple to get more or less working, only a little 
harder to make the UI issues smooth.
If you were to undertake these changes, we'd be happy to accept 
contributed code back into the distribution.
:wes