On Mar 8, 2010, at 3:59 PM, Simon Chang wrote: > 1) In cosign.conf, under the "passwd" keyword, we are instructed to use > regex to specify the kind of username we want to be authenticating. We > are also told that $1, $2, and $3 are replaced "with the corresponding > parenthesized subexpressions of the regular expression". Can someone > tell me what on earth all that means, and whether it would be sufficient > to use $1 just for password authentication?
>From the sound of it, you don't need the passwd keyword in your setup, since >you appear to be using just the one authentication mechanism, which is krb5 as >offered by Active Directory. The passwd keyword is available to weblogin >administrators who need to alter the default authenticator selection. By >default, any username containing the "@" is considered an e-mail address, >which the cosign.cgi attempts to authenticate against MySQL (typically Cosign >Friend [1]). Any username not containing the "@" considered a kerberos >principal, which the cgi attempts to authenticate against the default realm. The passwd keyword allows you to change this if, for example, you want to allow authentication against multiple kerberos realms: # fields are: keyword authenticator regex login realm passwd kerberos (.+)@(A\.COSIGN\.EDU) $1 $2 passwd kerberos (.+)@(B\.COSIGN\.EDU) $1 $2 Or more simply: passwd kerberos (.+)@([AB]\.COSIGN\.EDU) $1 $2 passwd kerberos ([...@]+) $1 DEFAULT.COSIGN.EDU The "parenthesized subexpressions" are the parts of the regular expression contained within the parentheses. Each pattern match within a "parenthesized subexpression" (a term take directly from the re_format(7) manpage, by the way) can then be substituted into the login and realm fields of the passwd configuration line. > 2) I did not see anywhere in cosign.conf(5) that spells out which > directives/keywords are mandatory and which are optional. I am guessing > that stuff like "cosignticketlifetime" is probably optional, but I am > just trying to get it to work right now and am looking for the bare > minimum number of directives to get this to interface correctly with our > Windows Active Directory. Suggestions? Depending on how you configured the build, only "service" and "cgi" entries are actually required for a working cosign environment. Most of the "set cosign..." options have sane defaults, which are described in the manpage. Of course, those defaults are references to required resources, which you'll need to provide. At a minimum, you'll need the following resources (the associated keyword, which has a default value, is in parentheses): * A CA directory (cosigncadir) * An SSL certificate (cosigncert) * An SSL private key (cosignkey) * A keytab for verifying credentials (cosignkeytab) Check the default values for those keywords. For the most part, it'll just be a matter of putting files in the right locations, and cosign.cgi & cosignd should locate them. andrew [1] Cosign Friend: https://sourceforge.net/projects/cosignfriend/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
