From: Andrew M. <adm...@um...> - 2010-03-09 03:35:55
|
On Mar 8, 2010, at 4:56 PM, Simon Chang wrote: > Hi Andrew, > > Thanks for your reply. It did look like the "passwd" keyword was > required since there wasn't anything else in the man page that said that > it wasn't needed. But I'll take your word for it. Thanks, I appreciate that. Would you believe I even wrote some of the code? :) You might have better luck getting started with the wiki: http://webapps.itcs.umich.edu/cosign/index.php/Cosign_Wiki:Test_install_HOWTO > Two additional questions: > > 1) Regarding the actual CGI program itself (cosign.cgi), there was no > mention of how we might install it. I did notice that there is a copy > of it located in the /cgi/ directory in the build. Should I be moving > it to where /cgi-bin/ is defined under Apache? (Meaning that, if I > defined the /cgi-bin/ location as /data1/www/cgi-bin/ in httpd.conf, > that's the location I should move cosign.cgi to.) By default, the cosign.cgi will be installed in /usr/local/cgi-ssl. You're confusing a convention ("Apache's" cgi-bin directory) with a requirement. You can tell Apache where to look for a cgi with a couple directives, e.g.: ScriptAlias /cosign-bin/ "/usr/local/cosign/cgi-ssl" <Directory /usr/local/cosign/cgi-ssl> DirectoryIndex cosign.cgi AddHandler cgi-script cgi </Directory> You can then request something like https://weblogin.cosign.edu/cosign-bin/cosign.cgi. > 2) Here is what I have for cosign.conf so far: > > set cosigncadir /data1/apache-certs/ This doesn't look right. Are you mixing rehashed CAs with your cert & private key files? > set cosigncert /data1/apache-certs/cosign-www-cert.pem > set cosignkey /data1/apache-certs/cosign-www-key.pem > set cosigndb /data1/cosign-var/ > > cgi cosign\.necmusic\.edu > service cosign-mrm https://$1.necmusc.edu/cosign T necrep1.necmusic.edu This line won't work. The $1 means "substitute for this value the string matched by the first regex subexpression surrounded by parentheses", e.g.: service cosign-(mrm) https://$1.necmusic.edu/cosign/valid T necrep1.necmusic.edu which says, "If a logged-in user requests a service cookie called 'cosign-mrm', generate the cookie and redirect them to https://mrm.necmusci.edu/cosign/valid so mod_cosign can validate the cookie." You don't need to use substitution if it's confusing things, though. > passwd kerberos ([^@]+) $1 newenglandconservatory.edu > > Are you saying that I could just delete the "passwd" keyword and the CGI > and cosignd can just go out there and try to find my KDC/domain > controller? That's what I'm saying. There is no "try", though. If the principal happens to include the realm, cosign.cgi will attempt to authenticate that principal against that realm. If there's no realm included with the principal, cosign.cgi attempts to authenticate against the default realm, as defined in krb5.conf & returned by the krb5 API (krb5_get_default_realm). andrew > -----Original Message----- > From: Andrew Mortensen [mailto:adm...@um...] > Sent: Monday, March 08, 2010 4:41 PM > To: Simon Chang > Cc: cos...@li... > Subject: Re: [Cosign-discuss] A few questions about cosign.conf(5) > > > On Mar 8, 2010, at 3:59 PM, Simon Chang wrote: > >> 1) In cosign.conf, under the "passwd" keyword, we are instructed to >> use regex to specify the kind of username we want to be >> authenticating. We are also told that $1, $2, and $3 are replaced >> "with the corresponding parenthesized subexpressions of the regular >> expression". Can someone tell me what on earth all that means, and >> whether it would be sufficient to use $1 just for password > authentication? > >> From the sound of it, you don't need the passwd keyword in your setup, > since you appear to be using just the one authentication mechanism, > which is krb5 as offered by Active Directory. The passwd keyword is > available to weblogin administrators who need to alter the default > authenticator selection. By default, any username containing the "@" is > considered an e-mail address, which the cosign.cgi attempts to > authenticate against MySQL (typically Cosign Friend [1]). Any username > not containing the "@" considered a kerberos principal, which the cgi > attempts to authenticate against the default realm. > > The passwd keyword allows you to change this if, for example, you want > to allow authentication against multiple kerberos realms: > > # fields are: keyword authenticator regex login realm > passwd kerberos (.+)@(A\.COSIGN\.EDU) $1 $2 > passwd kerberos (.+)@(B\.COSIGN\.EDU) $1 $2 > > Or more simply: > > passwd kerberos (.+)@([AB]\.COSIGN\.EDU) $1 $2 > passwd kerberos ([^@]+) $1 DEFAULT.COSIGN.EDU > > The "parenthesized subexpressions" are the parts of the regular > expression contained within the parentheses. Each pattern match within a > "parenthesized subexpression" (a term take directly from the > re_format(7) manpage, by the way) can then be substituted into the login > and realm fields of the passwd configuration line. > >> 2) I did not see anywhere in cosign.conf(5) that spells out which >> directives/keywords are mandatory and which are optional. I am >> guessing that stuff like "cosignticketlifetime" is probably optional, >> but I am just trying to get it to work right now and am looking for >> the bare minimum number of directives to get this to interface >> correctly with our Windows Active Directory. Suggestions? > > Depending on how you configured the build, only "service" and "cgi" > entries are actually required for a working cosign environment. Most of > the "set cosign..." options have sane defaults, which are described in > the manpage. Of course, those defaults are references to required > resources, which you'll need to provide. At a minimum, you'll need the > following resources (the associated keyword, which has a default value, > is in parentheses): > > * A CA directory (cosigncadir) > * An SSL certificate (cosigncert) > * An SSL private key (cosignkey) > * A keytab for verifying credentials (cosignkeytab) > > Check the default values for those keywords. For the most part, it'll > just be a matter of putting files in the right locations, and cosign.cgi > & cosignd should locate them. > > andrew > > [1] Cosign Friend: https://sourceforge.net/projects/cosignfriend/ > > !DSPAM:4b95727e280921410093335! > > > |