On April 19, 2010 22:37 , marvin derek <[email protected]>
wrote:
1,In my institution,there are many web-based apps,and i
want to use COSIGN to make them working together by using one id ,but
these web-based app with many different database ,(e,g. mysql for
storing user id and sercet code),and the apps have written by many
script language (e.g.PHP,JSP,ASP.NET <http://ASP.NET>)
How can i cosigned these apps?How the application get
user information after verification by cosign-server ?
Modify the applications so that they get the user's identity from the
place where cosign stores it. For example, in the case of mod_cosign
for Apache HTTP Server, the application should get the user's identity
from the environment variable REMOTE_USER. In the case of IISCosign,
the variable is HTTP_REMOTE_USER. Consult the documentation for more
information.
cosign only tells you who the user is. cosign does not manage
information about the user. cosign lets you manage information about
the user using any other software you want to use. You can have your
web application manage user information itself. Or you can store user
information in a database (MySQL, Oracle, whatever) and have your web
application query the information using SQL. Or you can store user
information in a directory and query the user information using LDAP.
Many other solutions are also possible, and you are free to pick
whichever solution for managing user information best meets your needs.
2,I know filedraws is a web-based app that manage the
space of disks provided by AFS,i intend to integrate this app with
others which i had mentioned in case 1.Since fildraws has
a verification by Krb5,and it is different from other apps that used
BasicAuth( i assumed).How to integrate these apps using Cosign?Anyone
can afford some useful LINKs about this issue?
Filedrawers supports cosign out of the box; no modifications are
needed. Configure cosign to use Kerberos 5 to authenticate users. Also
configure cosign to perform Kerberos ticket passing to the web server
that is running Filedrawers. Filedrawers will receive the end user's
proxied Kerberos ticket granting tickets from cosign, and then will use
those proxied tickets to authenticate the user to the AFS file servers.
3,I want to know where the informations(e.g id and
others) of users of cosign stored ? In my circumstance,i already have
a mysql database that
had stored user informations,how can i use these infs for cosign
auth?Is there a synchronization between them?If the answer is no ,is
it means you should to add users one by one by manual work?(It's sound
like crazy if there are thousands of users. :) ).It's a good news for
me if cosign can use a database as its backend;
cosign does not store user information, so no synchronization is
necessary. You need to provide cosign with some external way to
authenticate users. cosign can use Kerberos, LDAP (including Microsoft
Active Directory), databases, Unix PAM, OTP hardware tokens (such as the
RSA SID800, among others), and more. You will need to have the
appropriate directives in cosign.conf for whatever authentication
solution(s) you pick. For some authentication solutions -- depending on
what you pick, and also depending on your IT environment's identify
management architecture and configuration -- you may also need to
provide, write, or modify external factor programs or scripts.
cosign Friend is an external application, distributed separately from
cosign and completely optional, that allows users to sign up for guest
accounts. Users provide their email address when signing up; an email
message with a verification link is then sent to that address. When the
user clicks on the verification link, they are allowed to set a
password. The user's email address and password are then stored in a
MySQL database. If you configure cosign to use cosign Friend, and
someone attempts to log in using their email address, then cosign will
check the cosign Friend database to see if they supplied the correct
password. If they did, then the REMOTE_USER variable will be populated
with the user's email address. It is very important to note that
although cosign Friend happens to use a MySQL database to store user
information, this is very different from configuring cosign to use MySQL
to perform user authenticaiton: cosign Friend is a complete guest
account management solution, that permits users to sign up for accounts,
reset their own passwords, and so on; whereas if you configure cosign to
use MySQL to authenticate users directly, it is presumed that some other
system is responsible for managing the user information in the MySQL
database.
You can configure cosign to accept multiple methods of authentication
(known as "authentication factors"). For example, you can say, "allow
the user to log in if they authenticate EITHER via Kerberos OR via
cosign Friend", or you can say, "allow the user to log in only if they
authenticate BOTH via Microsoft Active Directory AND ALSO via a OTP
hardware token". If you have factors which you choose to make optional,
then individual web services (such as Filedrawers) can pick which
factors they wish to require; this allows you to have different levels
of security and authentication for different services in your environment.
Again, cosign does not manage user information. This means that if you
configure cosign to use LDAP for authentication, you will need to have
something in your environment that creates LDAP directory entries for
each user, lets them set or change their LDAP passwords, and so on.
Depending on your environment, you can choose to have this happen
automatically based on certain conditions, or you can add each user one
by one manually; either way, this has nothing to do with cosign itself,
it's functionality that needs to be provided by your LDAP software.
The situation is similar if you configure cosign to use Kerberos, or a
SQL database, or hardware tokens.
I hope this helps.
Mark Montague
ITS Enterprise Email& Collaboration Technologies Team
The University of Michigan
[email protected]
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
