	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign and kerberos

To: "Goldrick, Jim" <jgoldrick@xxxxxxxxxxxxxxxxx>
Subject: Re: cosign and kerberos
From: Wesley Craig <wes@xxxxxxxxx>
Date: Sun, 2 Oct 2005 21:51:08 -0400
Cc: "cosign-discuss" <cosign-discuss@xxxxxxxxx>
In-reply-to: <960714044BBA8045B489FBDD68C3E3610D2985@gabriel.judsoncollege.edu>
References: <960714044BBA8045B489FBDD68C3E3610D2985@gabriel.judsoncollege.edu>

On 30 Sep 2005, at 20:21, Goldrick, Jim wrote:

Something else I was thinking about and forgot to ask (my son was bugging me to take him somewhere).

Anyway, is the REMOTE_REALM env variable set by cosign the kerberos realm?

If you only use Kerberos, then yes. If you're using the Cosign Friend guest account extension, then the realm is "FRIEND". If you're using the x.509 extensions, then you can arbitrarily configure the realm, on a <cert, ca> tuple basis.

If so, would it be extremely difficult to modify the filter to do some authz by putting in a

CosignRealm REALM1.EDU

directive into the directory section of the apache conf files? How about a separate module?

I think you can do this with mod_setenvif and mod_access:

    http://httpd.apache.org/docs/1.3/mod/mod_setenvif.html
    http://httpd.apache.org/docs/1.3/mod/mod_access.html

Something like:

    SetEnvIf REMOTE_REALM "\.REALM1.EDUf$" realm_is_realm1_edu
    <Directory /docroot>
        Order Deny,Allow
        Deny from all
        Allow from env=realm_is_realm1_edu
    </Directory>

Not that I've tried this specific combination. :)

:wes

References:
- RE: cosign and kerberos
  - From: Goldrick, Jim

Prev by Date: RE: cosign and kerberos
Next by Date: Cosign 1.9.0 Released
Previous by thread: RE: cosign and kerberos
Next by thread: FREE V_I_A_G_R_A sample
Index(es):
- Date
- Thread