On April 10, 2012 8:28 , "Houtzager, Guus"
<guus.houtza...@capgemini.com> wrote:
What happens is that if for instance I try to visit the portal with a
valid account, it redirects to the sso login site, I fill in the
credentials of the account and the sso site presents me with a page
saying login failed. I'm 100% sure that this message comes from the
engineer factor. That's not what I expected, as I haven't specified
that factor in that vhost. If I just disregard this message and go to
the portal site again, it lets me in just fine (because I did get
through the ldap factor). I think that the sso website steps through
each factor in the order specified in cosign.conf, regardless of what
is specified in Apache using CosignRequireFactor.
After checking and checking again I've become stuck, so time to ask
some advice:
* Did I understand the mechanism of how this is supposed to work
correctly?
* Is this the correct way of trying to achieve what I need or do you
have a better suggestion?
* Any idea where I'm going wrong? I'm running cosign 3.2.0.
Factors are designed for authentication, not for authorization: their
input is a set of credentials (username, password, HOTP/TOTP code, etc.)
and their output is whether the set of credentials is valid or not.
I'm not saying "don't do what you're doing", but you may find it easier,
more scalable, and more sensical to use an authorization mechanism for
what you want to do. For example, allow cosign to determine the user's
identity, but then use the authorization parts of mod_authnz_ldap to
compare the user's identity (as determined by cosign) to say whether the
user is a member of a certain LDAP group, or is in a certain LDAP OU,
and thus whether they are an engineer, a non-engineer user, or somebody
else.
--
Mark Montague
m...@catseye.org
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
