Hi Andrew, Thanks for your reply. It did look like the "passwd" keyword was required since there wasn't anything else in the man page that said that it wasn't needed. But I'll take your word for it.
Two additional questions: 1) Regarding the actual CGI program itself (cosign.cgi), there was no mention of how we might install it. I did notice that there is a copy of it located in the /cgi/ directory in the build. Should I be moving it to where /cgi-bin/ is defined under Apache? (Meaning that, if I defined the /cgi-bin/ location as /data1/www/cgi-bin/ in httpd.conf, that's the location I should move cosign.cgi to.) 2) Here is what I have for cosign.conf so far: set cosigncadir /data1/apache-certs/ set cosigncert /data1/apache-certs/cosign-www-cert.pem set cosignkey /data1/apache-certs/cosign-www-key.pem set cosigndb /data1/cosign-var/ cgi cosign\.necmusic\.edu service cosign-mrm https://$1.necmusc.edu/cosign T necrep1.necmusic.edu passwd kerberos ([...@]+) $1 newenglandconservatory.edu Are you saying that I could just delete the "passwd" keyword and the CGI and cosignd can just go out there and try to find my KDC/domain controller? SC -----Original Message----- From: Andrew Mortensen [mailto:[email protected]] Sent: Monday, March 08, 2010 4:41 PM To: Simon Chang Cc: [email protected] Subject: Re: [Cosign-discuss] A few questions about cosign.conf(5) On Mar 8, 2010, at 3:59 PM, Simon Chang wrote: > 1) In cosign.conf, under the "passwd" keyword, we are instructed to > use regex to specify the kind of username we want to be > authenticating. We are also told that $1, $2, and $3 are replaced > "with the corresponding parenthesized subexpressions of the regular > expression". Can someone tell me what on earth all that means, and > whether it would be sufficient to use $1 just for password authentication? >From the sound of it, you don't need the passwd keyword in your setup, since you appear to be using just the one authentication mechanism, which is krb5 as offered by Active Directory. The passwd keyword is available to weblogin administrators who need to alter the default authenticator selection. By default, any username containing the "@" is considered an e-mail address, which the cosign.cgi attempts to authenticate against MySQL (typically Cosign Friend [1]). Any username not containing the "@" considered a kerberos principal, which the cgi attempts to authenticate against the default realm. The passwd keyword allows you to change this if, for example, you want to allow authentication against multiple kerberos realms: # fields are: keyword authenticator regex login realm passwd kerberos (.+)@(A\.COSIGN\.EDU) $1 $2 passwd kerberos (.+)@(B\.COSIGN\.EDU) $1 $2 Or more simply: passwd kerberos (.+)@([AB]\.COSIGN\.EDU) $1 $2 passwd kerberos ([...@]+) $1 DEFAULT.COSIGN.EDU The "parenthesized subexpressions" are the parts of the regular expression contained within the parentheses. Each pattern match within a "parenthesized subexpression" (a term take directly from the re_format(7) manpage, by the way) can then be substituted into the login and realm fields of the passwd configuration line. > 2) I did not see anywhere in cosign.conf(5) that spells out which > directives/keywords are mandatory and which are optional. I am > guessing that stuff like "cosignticketlifetime" is probably optional, > but I am just trying to get it to work right now and am looking for > the bare minimum number of directives to get this to interface > correctly with our Windows Active Directory. Suggestions? Depending on how you configured the build, only "service" and "cgi" entries are actually required for a working cosign environment. Most of the "set cosign..." options have sane defaults, which are described in the manpage. Of course, those defaults are references to required resources, which you'll need to provide. At a minimum, you'll need the following resources (the associated keyword, which has a default value, is in parentheses): * A CA directory (cosigncadir) * An SSL certificate (cosigncert) * An SSL private key (cosignkey) * A keytab for verifying credentials (cosignkeytab) Check the default values for those keywords. For the most part, it'll just be a matter of putting files in the right locations, and cosign.cgi & cosignd should locate them. andrew [1] Cosign Friend: https://sourceforge.net/projects/cosignfriend/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
