Forgot the passwd config line...
On Mon, Jul 14, 2014 at 2:31 PM, Michael Ghen <[email protected]> wrote:
> We did write one. I updated it to strip out the @brandeis.edu if it is
> there. However, whenever the username has @brandeis.edu, our LDAP factor
> doesn't get executed. It seems like Cosign sees the @brandeis.edu and
> returns the "Unable to..." error before it executes our LDAP factor.
>
>
> On Mon, Jul 14, 2014 at 2:07 PM, Liam Hoekenga <[email protected]> wrote:
>
>> There are instructions in the cosign wiki on how to implement an LDAP
>> factor, but cosign doesn't actually come with one..
>>
>>
>> http://webapps.itcs.umich.edu/cosign/index.php/Cosign_Wiki:Test_install_HOWTO#Factors
>>
>> Did you guys write one? You could probably update the LDAP factor to
>> strip the domain from the username. If you're using the sample LDAP
>> factor, it should be pretty easy to do.
>>
>> You'd probably also need to create a passwd config line and tell it to
>> ignore @brandeis.edu
>>
>> Liam
>>
>>
>> On Mon, Jul 14, 2014 at 1:56 PM, Michael Ghen <[email protected]>
>> wrote:
>>
>>> There is an LDAP factor. We're looking for a solution that doesn't
>>> involve adding javascript on top of the login web page.
>>>
>>>
>>> On Mon, Jul 14, 2014 at 1:54 PM, Liam Hoekenga <[email protected]> wrote:
>>>
>>>> I think you could strip it out using javascript.
>>>>
>>>> Did you write an LDAP factor? Are you using PAM?
>>>>
>>>> Liam
>>>>
>>>>
>>>> On Mon, Jul 14, 2014 at 1:50 PM, Michael Ghen <[email protected]>
>>>> wrote:
>>>>
>>>>> I do not see @brandeis.edu anywhere. I think it only shows up when
>>>>> someone manually types it after their username. Is there a way to
>>>>> configure
>>>>> cosign such that if it sees @brandeis.edu it will still just check
>>>>> Active Directory? Basically just ignore the @brandeis.edu?
>>>>>
>>>>>
>>>>> On Mon, Jul 14, 2014 at 1:42 PM, Liam Hoekenga <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Do you see @brandeis.edu show up in the UI? Something's got to be
>>>>>> adding it before the form is POSTed, otherwise the mysql stuff wouldn't
>>>>>> be
>>>>>> getting invoked.
>>>>>>
>>>>>> Liam
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 14, 2014 at 12:57 PM, Michael Ghen <[email protected]
>>>>>> > wrote:
>>>>>>
>>>>>>> Thanks again, I appreciate the help. We use AD via LDAP. I'm not
>>>>>>> sure that we're seeing occurrences of "@[email protected]"
>>>>>>> that was just a hunch. Do you have any other suggestions for things to
>>>>>>> try?
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 14, 2014 at 11:49 AM, Liam Hoekenga <[email protected]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I was mostly thinking that if you wanted to, you could use passwd
>>>>>>>> to configure usernames containing @brandeis.edu to point at a
>>>>>>>> kerberos realm instead of the guest system.
>>>>>>>> Are you using AD via LDAP or kerberos? I believe that "passwd"
>>>>>>>> only lets you configure kerberos and guest (mysql), so if you're using
>>>>>>>> LDAP
>>>>>>>> or PAM to actually handle the authentication, it probably wouldn't be
>>>>>>>> useful.
>>>>>>>>
>>>>>>>> The @brandeis.edu and the "cannot connect to guest database" are
>>>>>>>> pretty clearly connected.
>>>>>>>> The occurrences of "@[email protected]" suggest to me that
>>>>>>>> maybe you've got something in the UI that's updating the form value.
>>>>>>>> An
>>>>>>>> over-zealous javascript? A default value in the username field of the
>>>>>>>> login form?
>>>>>>>>
>>>>>>>> Liam
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Jul 14, 2014 at 11:39 AM, Michael Ghen <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> We use Active Directory.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Jul 14, 2014 at 11:35 AM, Liam Hoekenga <[email protected]>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Are you using kerberos on the backend?
>>>>>>>>>>
>>>>>>>>>> Liam
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 14, 2014 at 11:34 AM, Michael Ghen <
>>>>>>>>>> [email protected]> wrote:
>>>>>>>>>>
>>>>>>>>>>> Thanks Liam,
>>>>>>>>>>>
>>>>>>>>>>> I am not using the passwd directive. Will using it resolve this
>>>>>>>>>>> issue?
>>>>>>>>>>>
>>>>>>>>>>> Mike
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 14, 2014 at 11:22 AM, Liam Hoekenga <[email protected]
>>>>>>>>>>> > wrote:
>>>>>>>>>>>
>>>>>>>>>>>> The man page for cosign.conf explains the "Unable to connect to
>>>>>>>>>>>> guest account database" error:
>>>>>>>>>>>>
>>>>>>>>>>>> The keyword passwd is used to control password based
>>>>>>>>>>>> authentication of
>>>>>>>>>>>> a user using the Kerberos and MySQL internal
>>>>>>>>>>>> authenticators. Where this
>>>>>>>>>>>> keyword is not specified, usernames containing an ’@’
>>>>>>>>>>>> are authenticated
>>>>>>>>>>>> through mysql, all other usernames are authenticated
>>>>>>>>>>>> with Kerberos.
>>>>>>>>>>>>
>>>>>>>>>>>> Are you using the "passwd" directive in your cosign.conf?
>>>>>>>>>>>> If so, what do the entries look like?
>>>>>>>>>>>>
>>>>>>>>>>>> Liam
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 14, 2014 at 10:06 AM, Michael Ghen <
>>>>>>>>>>>> [email protected]> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> My name is Mike and I work at Brandeis University where we use
>>>>>>>>>>>>> Cosign. Recently, we've noticed that when a user enters their
>>>>>>>>>>>>> username with
>>>>>>>>>>>>> @brandeis.edu at the end, they recieve this error: "Unable to
>>>>>>>>>>>>> connect to guest account database."
>>>>>>>>>>>>>
>>>>>>>>>>>>> We're trying to remove this error so that user can still sign
>>>>>>>>>>>>> in but we're unsure about where it is generated. We think that
>>>>>>>>>>>>> cosign is
>>>>>>>>>>>>> appending "@brandeis.edu" before it looks up the account
>>>>>>>>>>>>> which would make the username have "...@
>>>>>>>>>>>>> [email protected]." We could not find anything in the
>>>>>>>>>>>>> configuration files to suggest that is the case. While we explore
>>>>>>>>>>>>> other
>>>>>>>>>>>>> options, I figured I would reach out for help from the Cosign
>>>>>>>>>>>>> community. If
>>>>>>>>>>>>> anyone has any suggestions or can offer any guidance, please let
>>>>>>>>>>>>> me know.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank you,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>> Want fast and easy access to all the code in your enterprise?
>>>>>>>>>>>>> Index and
>>>>>>>>>>>>> search up to 200,000 lines of code with a free copy of Black
>>>>>>>>>>>>> Duck®
>>>>>>>>>>>>> Code Sight™ - the same software that powers the world's
>>>>>>>>>>>>> largest code
>>>>>>>>>>>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>>>>>>>>>>>> http://p.sf.net/sfu/bds
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Cosign-discuss mailing list
>>>>>>>>>>>>> [email protected]
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
