[OTDev] OpenSSO now secure
Andreas Maunz andreas at maunz.deFri Jun 11 10:16:22 CEST 2010
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry, it should read: <Subject name="mygroupname" type="LDAPGroups" includeType="inclusive"> <AttributeValuePair> <Attribute name="Values"/> <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> </AttributeValuePair> </Subject> instead. A.M. Andreas Maunz wrote on 06/11/2010 10:09 AM: > Hi Nina, > > you would create a policy that contains: > > <Subject name="mygroupname" type="LDAPUsers" includeType="inclusive"> > <AttributeValuePair> > <Attribute name="Values"/> > <Value>uid=mygroup,ou=groups,dc=opentox,dc=org</Value> > </AttributeValuePair> > > Mind the "ou=groups" instead of "ou=people". Then, create the group > "mygroup" and assign users to it (contact Micha for that). > > Best regards > Andreas > > > Nina Jeliazkova wrote on 06/11/2010 08:53 AM: >> Hi Andreas, >> >> Could you tell how to create a policy, that allows group of users to >> POST or GET ? This would be applicable to almost all top level >> resources like /algorithm/{id} , etc. >> >> Following the example at p.12 of the deliverable D3.3. , one could >> create a policy which is per user only. >> >> Best regards, >> Nina >> >> Andreas Maunz wrote: >>> Hi all, >>> >>> connections to the OpenSSO service at opensso.in-silico.ch can now be >>> made secure by using SSL. >>> Submit your user credentials safely and obtain a token: >>> >>> **************************************************************** >>> am at z21:~/aa$ curl -v -k -i -d "username=amaunz&password=secret" >>> https://opensso.in-silico.ch/opensso/identity/authenticate?uri=service=openldap >>> >>> >>> * About to connect() to opensso.in-silico.ch port 443 (#0) >>> * Trying 178.63.18.76... connected >>> * Connected to opensso.in-silico.ch (178.63.18.76) port 443 (#0) >>> * successfully set certificate verify locations: >>> * CAfile: none >>> CApath: /etc/ssl/certs >>> * SSLv3, TLS handshake, Client hello (1): >>> * SSLv3, TLS handshake, Server hello (2): >>> * SSLv3, TLS handshake, CERT (11): >>> * SSLv3, TLS handshake, Server finished (14): >>> * SSLv3, TLS handshake, Client key exchange (16): >>> * SSLv3, TLS change cipher, Client hello (1): >>> * SSLv3, TLS handshake, Finished (20): >>> * SSLv3, TLS change cipher, Client hello (1): >>> * SSLv3, TLS handshake, Finished (20): >>> * SSL connection using AES256-SHA >>> * Server certificate: >>> * subject: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; >>> CN=Christoph Helma; emailAddress=helma at in-silico.ch >>> * start date: 2010-06-09 16:38:59 GMT >>> * expire date: 2020-06-06 16:38:59 GMT >>> * common name: Christoph Helma (does not match >>> 'opensso.in-silico.ch') >>> * issuer: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; >>> CN=Christoph Helma; emailAddress=helma at in-silico.ch >>> * SSL certificate verify result: self signed certificate (18), >>> continuing anyway. >>>> POST /opensso/identity/authenticate?uri=service=openldap HTTP/1.1 >>>> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 >>>> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 >>>> Host: opensso.in-silico.ch >>>> Accept: */* >>>> Content-Length: 32 >>>> Content-Type: application/x-www-form-urlencoded >>>> >>> < HTTP/1.1 200 OK >>> HTTP/1.1 200 OK >>> < Server: nginx/0.6.32 >>> Server: nginx/0.6.32 >>> < Date: Thu, 10 Jun 2010 08:12:27 GMT >>> Date: Thu, 10 Jun 2010 08:12:27 GMT >>> < Content-Type: text/plain;charset=UTF-8 >>> Content-Type: text/plain;charset=UTF-8 >>> < Connection: keep-alive >>> Connection: keep-alive >>> < Content-Length: 72 >>> Content-Length: 72 >>> >>> < >>> token.id=AQIC5wM2LY4SfcyyY3V7C7qD1FD2ZoktJHsYKEKE8g+wXys=@AAJTSQACMDE=# >>> * Connection #0 to host opensso.in-silico.ch left intact >>> * Closing connection #0 >>> * SSLv3, TLS alert, Client hello (1): >>> **************************************************************** >>> >>> As you can see, a special switch (-k) is still required to allow >>> connections using the self-signed certificate from Christoph. We might >>> improve on this by using a free certificate from startssl.com, which >>> clients trust. >>> >>> Moreover, connections without SSL still work as usual. >>> >>> Greetings >>> Andreas >>> >> > -- http://www.maunz.de C Programmers do it recursively.
- Previous message: [OTDev] OpenSSO now secure
- Next message: [OTDev] OpenSSO now secure
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list