On October 10, 2011 11:19 , Chris Hecker <chec...@d6.com> wrote: > I asked a similar question a couple months ago for doing this from a > service with a keytab, and the best approach seemed to be to set up a > parallel mod_authn_krb5+cosign mapping to the resource, and then talk > to that using code, since the negotiate auth protocol looks pretty > simple (since you won't have to implement all the negotiate stuff) and > you won't need passwords for the scripts if you've got a valid krb5 > ticket. > > I haven't written the code yet, but I looked at all the pieces and > convinced myself it would work. You need to be able to wrap krb5 > tickets with the spnego asn.1 wrapper, but that's probably easy from perl.
Or, if the cosign-protected web service does not need to use Kerberos tickets for the authenticated user, have the Perl script you're writing authenticate using X.509 client certificates. Not via cosign's support for X.509, just via mod_ssl with a "Satisfy any" directive. -- Mark Montague LSA Research Systems Group University of Michigan markm...@umich.edu ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
