Pubcookie Home > Documentation 
 
Pubcookie Homepage Pubcookie 3.0
Configuration File Variables
Audience:  All
Modified:  January 2, 2006

The following should be an authoritative list of run-time configurable variables for the login server, keyserver, keyclient and mod_pubcookie. Some of these variables are shared by all of the code (they're used in libpubcookie) while many of them pertain just to the login server.

See config.sample and config.login.sample for examples containing the minimum options for an application server and login server, respectively.

   
Name Type Description
debug int Non-zero value enables debug logging. The higher the number, the more debugging output that is generated.
logging_levelintIncrease with your level of frustration.
login_uristringThe complete URI of the login cgi
logout_progstringThe name under which the logout program was invoked, includes the path.
login_servers list List of all of the login servers for our domain; keyserver uses this to distribute keys to the other login servers
ssl_ca_file string Path and filename of the Cerificate Authority which signed our SSL key
ssl_ca_path string Path of directory containing CA certificates named by their hashes for all CAs that we should trust
ssl_cert_file string Path and filename of our SSL certificate
ssl_key_file string Path and filename of our SSL key
granting_key_filestringPath and filename of the secret portion of the granting keypair (only found on login servers)
granting_cert_file string Path and filename of the public portion of the granting keypair (found on all servers)
enterprise_domain string The DNS domain under which all hosts will live. must be at least a second level domain (e.g. example.edu); used to scope cookies for communication between the login server and app servers
keymgt_uri string the location of the "keyserver" CGI.
keydir string location of DES keys used for encrypting cookies sent to the app server
umask string umask used when creating files
general_facility string The log facility to log general log messages
audit_facility string The log facility to log audit log messages
login cgi specific options
basic_verifier string The verifier to use for the "basic" flavor
login_hoststringThe hostname of login server
app_logout_string-servername-appidstring A custom logout response msg for appid on servername
append_realm switch If true, the authentication realm is appended to the user name after authentication but before issuing cookies (eg, the cookie will contain user@REALM)
default_realm string optional default authentication realm to pass to the verifier when none is submitted via the form
mirrorfile string full path to a file to keep a mirrored copy of all output sent to the client by the most recent call to the login cgi
default_l_expire int The expiration for the login server. Default: 8 hours.
kiosk_keys list User-Agent strings that identify Kiosk Machines
kiosk_values list Duration of login cookie for kiosk machines (same order as kiosk_keys)
min_countdown int The minimum countdown for automatically reloading the status page.
egd_socket socket-location Location of EGD socket (e.g. /dev/egd-pool) if your system lacks entropy.
Template File Options
template_root string The root directory for the templates. Default: {PUBCOOKIE_DIR}/login_templates.
tmpl_login string The template for the login page. Default: login
tmpl_login_user_form_field string The template for the user input field. Default: login_user_form_field
tmpl_login_user_static string The template for a static user field for reauthentication. Default: login_user_static
tmpl_login_bad_auth string File containing HTML snippet to display on the login page when authentication fails. Default: login_bad_auth.
tmpl_login_reauth string File containing HTML snippet to display on the login page when the application requests reauthentication. Default: login_reauth.
tmpl_login_cache_creds_wrong string File containing HTML snippet to display on the login page when the application requests credentials that are different from those in use already by the weblogin service. Default: login_reauth.
tmpl_error string Template displayed when there is an internal error. Default: error
tmpl_logout_app string Default: logout_app.
tmpl_logout_app_custom_prefix string Default: logout_app_custom_prefix
tmpl_logout_app_custom_suffix string Default: logout_app_custom_suffix
tmpl_logout_part1 string Default: logout_part1
tmpl_logout_part2 string Default: logout_part2
tmpl_logout_already_weblogin string Default: logout_already_weblogin
tmpl_logout_postscript_still_others string Default: logout_postscript_still_others
tmpl_logout_still_weblogin string Default: logout_still_weblogin
tmpl_logout_time_remaining string Default: logout_time_remaining
tmpl_logout_postscript_still_weblogin string Default: logout_postscript_still_weblogin
tmpl_status string The template for the status page displayed when the user goes to the weblogin server directly. Default: status
tmpl_nonpost_redirect string Template for the redirect back to the app after login.
tmpl_notok_part1 string Default: notok_part1
tmpl_notok_part2 string Default: notok_part2
tmpl_pinit_responce1 string Default: pinit_responce1
tmpl_pinit_responce2 string Default: pinit_responce2
tmpl_welcome_back string Default: welcome_back
kerberos_v5 verifier options
kerberos5_keytab string full path to the K5 keytab file
ldap verifier options
ldap_uri list The LDAP URI in this format:
            
            ldaps://host/o=searchbase???(uid=%s)?x-BindDN=Bind%20DN,x-Password=Password
            ldap://host/o=searchbase???(uid=%s)?x-BindDN=Bind%20DN,x-Password=Password
        
  • (uid=%s) is the search filter for finding an account by netid. The %s will be replaced with the netid. The host string can optionally contain a port number. The filter can only contain one %s at this time.
  • x-BindDN and x-Password are the Bind DN and Password, URL encoded. (Commas must be encoded as %2c and spaces as %20.) The x-BindDN and x-Password may be omitted entirely if the connection is anonymous.
cert_db_pathstring Path to where Netscape's cert7.db and key3.db can be found. Default: {PUBCOOKIE_DIR}/keys
Unsupported/experimental options
save_credentials switch Controls whether flavor_basic saves a copy of the user's master credentials for later use by flavor_getcred
getcred_authz_file string flavor_getcred uses this file to determine who is authorized to request what credentials


[Pubcookie Home Page]
Copyright © 2002-2008 University of Washington
UW Technology Services
Pubcookie Contact Info
Modified: January 2, 2006