[OTDev] OpenSSO now secure
Andreas Maunz andreas at maunz.deFri Jun 11 10:16:22 CEST 2010
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry, it should read:
<Subject name="mygroupname" type="LDAPGroups" includeType="inclusive">
<AttributeValuePair>
<Attribute name="Values"/>
<Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value>
</AttributeValuePair>
</Subject>
instead.
A.M.
Andreas Maunz wrote on 06/11/2010 10:09 AM:
> Hi Nina,
>
> you would create a policy that contains:
>
> <Subject name="mygroupname" type="LDAPUsers" includeType="inclusive">
> <AttributeValuePair>
> <Attribute name="Values"/>
> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value>
> </AttributeValuePair>
>
> Mind the "ou=groups" instead of "ou=people". Then, create the group
> "mygroup" and assign users to it (contact Micha for that).
>
> Best regards
> Andreas
>
>
> Nina Jeliazkova wrote on 06/11/2010 08:53 AM:
>> Hi Andreas,
>>
>> Could you tell how to create a policy, that allows group of users to
>> POST or GET ? This would be applicable to almost all top level
>> resources like /algorithm/{id} , etc.
>>
>> Following the example at p.12 of the deliverable D3.3. , one could
>> create a policy which is per user only.
>>
>> Best regards,
>> Nina
>>
>> Andreas Maunz wrote:
>>> Hi all,
>>>
>>> connections to the OpenSSO service at opensso.in-silico.ch can now be
>>> made secure by using SSL.
>>> Submit your user credentials safely and obtain a token:
>>>
>>> ****************************************************************
>>> am at z21:~/aa$ curl -v -k -i -d "username=amaunz&password=secret"
>>> https://opensso.in-silico.ch/opensso/identity/authenticate?uri=service=openldap
>>>
>>>
>>> * About to connect() to opensso.in-silico.ch port 443 (#0)
>>> * Trying 178.63.18.76... connected
>>> * Connected to opensso.in-silico.ch (178.63.18.76) port 443 (#0)
>>> * successfully set certificate verify locations:
>>> * CAfile: none
>>> CApath: /etc/ssl/certs
>>> * SSLv3, TLS handshake, Client hello (1):
>>> * SSLv3, TLS handshake, Server hello (2):
>>> * SSLv3, TLS handshake, CERT (11):
>>> * SSLv3, TLS handshake, Server finished (14):
>>> * SSLv3, TLS handshake, Client key exchange (16):
>>> * SSLv3, TLS change cipher, Client hello (1):
>>> * SSLv3, TLS handshake, Finished (20):
>>> * SSLv3, TLS change cipher, Client hello (1):
>>> * SSLv3, TLS handshake, Finished (20):
>>> * SSL connection using AES256-SHA
>>> * Server certificate:
>>> * subject: C=CH; ST=Some-State; L=Basel; O=in silico toxicology;
>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch
>>> * start date: 2010-06-09 16:38:59 GMT
>>> * expire date: 2020-06-06 16:38:59 GMT
>>> * common name: Christoph Helma (does not match
>>> 'opensso.in-silico.ch')
>>> * issuer: C=CH; ST=Some-State; L=Basel; O=in silico toxicology;
>>> CN=Christoph Helma; emailAddress=helma at in-silico.ch
>>> * SSL certificate verify result: self signed certificate (18),
>>> continuing anyway.
>>>> POST /opensso/identity/authenticate?uri=service=openldap HTTP/1.1
>>>> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7
>>>> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
>>>> Host: opensso.in-silico.ch
>>>> Accept: */*
>>>> Content-Length: 32
>>>> Content-Type: application/x-www-form-urlencoded
>>>>
>>> < HTTP/1.1 200 OK
>>> HTTP/1.1 200 OK
>>> < Server: nginx/0.6.32
>>> Server: nginx/0.6.32
>>> < Date: Thu, 10 Jun 2010 08:12:27 GMT
>>> Date: Thu, 10 Jun 2010 08:12:27 GMT
>>> < Content-Type: text/plain;charset=UTF-8
>>> Content-Type: text/plain;charset=UTF-8
>>> < Connection: keep-alive
>>> Connection: keep-alive
>>> < Content-Length: 72
>>> Content-Length: 72
>>>
>>> <
>>> token.id=AQIC5wM2LY4SfcyyY3V7C7qD1FD2ZoktJHsYKEKE8g+wXys=@AAJTSQACMDE=#
>>> * Connection #0 to host opensso.in-silico.ch left intact
>>> * Closing connection #0
>>> * SSLv3, TLS alert, Client hello (1):
>>> ****************************************************************
>>>
>>> As you can see, a special switch (-k) is still required to allow
>>> connections using the self-signed certificate from Christoph. We might
>>> improve on this by using a free certificate from startssl.com, which
>>> clients trust.
>>>
>>> Moreover, connections without SSL still work as usual.
>>>
>>> Greetings
>>> Andreas
>>>
>>
>
--
http://www.maunz.de
C Programmers do it recursively.
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list