The following should be an authoritative list of run-time configurable
variables for the login server, keyserver, keyclient and
mod_pubcookie. Some of these variables are shared by all of the code
(they're used in libpubcookie) while many of them pertain
just to the login server.
| Name | Type | Description |
|---|
| debug |
int |
Non-zero value enables debug logging. The higher the
number, the more debugging output that is generated. |
| logging_level | int | Increase with your level of
frustration. |
| login_uri | string | The complete URI of the login cgi |
| logout_prog | string | The name under which the logout program was invoked, includes the path.
|
| login_servers | list |
List of all of the login servers for our domain;
keyserver uses this to distribute keys to the other
login servers |
| ssl_ca_file | string | Path and filename of the
Cerificate Authority which signed our SSL
key |
| ssl_ca_path | string | Path of directory containing
CA certificates named by their hashes for all
CAs that we should trust |
| ssl_cert_file | string | Path and filename of our
SSL certificate |
| ssl_key_file | string | Path and filename of our SSL
key |
| granting_key_file | string | Path and filename of
the secret portion of the granting keypair (only found on login
servers) |
| granting_cert_file | string | Path and filename of
the public portion of the granting keypair (found on all servers) |
| enterprise_domain | string | The DNS domain under
which all hosts will live. must be at
least a second level domain
(e.g. example.edu); used to scope
cookies for communication between the
login server and app servers |
| keymgt_uri | string | the location of the
"keyserver" CGI. |
| keydir | string | location of DES keys used for
encrypting cookies sent to the app server |
| umask | string | umask used when creating files |
| general_facility |
string |
The log facility to log general log messages |
| audit_facility |
string |
The log facility to log audit log messages |
| login cgi specific options |
| basic_verifier | string | The verifier to use for
the "basic" flavor |
| login_host | string | The hostname of login server |
| app_logout_string-servername-appid | string | A custom
logout response msg for appid on servername |
| append_realm | switch | If true, the authentication
realm is appended to the user name after
authentication but before issuing cookies (eg,
the cookie will contain user@REALM) |
| default_realm | string | optional default
authentication realm to pass to the
verifier when none is submitted via the form |
| mirrorfile | string | full path to a file to keep a
mirrored copy of all output sent to the client
by the most recent call to the login cgi |
| default_l_expire | int |
The expiration for the login server. Default: 8 hours. |
| kiosk_keys | list |
User-Agent strings that identify Kiosk Machines |
| kiosk_values | list |
Duration of login cookie for kiosk machines (same order as
kiosk_keys)
|
| min_countdown | int |
The minimum countdown for automatically reloading the status page. |
| egd_socket | socket-location |
Location of EGD socket (e.g. /dev/egd-pool) if your system lacks entropy. |
| Template File Options |
| template_root |
string |
The root directory for the templates. Default:
{PUBCOOKIE_DIR}/login_templates.
|
| tmpl_login |
string |
The template for the login page. Default: login |
| tmpl_login_user_form_field |
string |
The template for the user input field. Default: login_user_form_field |
| tmpl_login_user_static |
string |
The template for a static user field for reauthentication. Default: login_user_static |
| tmpl_login_bad_auth |
string |
File containing HTML snippet to display on the login page when
authentication fails. Default: login_bad_auth.
|
| tmpl_login_reauth |
string |
File containing HTML snippet to display on the login page when the
application requests reauthentication. Default: login_reauth. |
| tmpl_login_cache_creds_wrong |
string |
File containing HTML snippet to display on the login page when the
application requests credentials that are different from those in use
already by the weblogin service. Default: login_reauth. |
| tmpl_error |
string |
Template displayed when there is an internal error. Default:
error |
| tmpl_logout_app |
string |
Default: logout_app. |
| tmpl_logout_app_custom_prefix |
string |
Default: logout_app_custom_prefix |
| tmpl_logout_app_custom_suffix |
string |
Default: logout_app_custom_suffix |
| tmpl_logout_part1 |
string |
Default: logout_part1 |
| tmpl_logout_part2 |
string |
Default: logout_part2 |
| tmpl_logout_already_weblogin |
string |
Default: logout_already_weblogin |
| tmpl_logout_postscript_still_others |
string |
Default: logout_postscript_still_others |
| tmpl_logout_still_weblogin |
string |
Default: logout_still_weblogin |
| tmpl_logout_time_remaining |
string |
Default: logout_time_remaining |
| tmpl_logout_postscript_still_weblogin |
string |
Default: logout_postscript_still_weblogin |
| tmpl_status |
string |
The template for the status page displayed when the user goes to the
weblogin server directly. Default: status |
| tmpl_nonpost_redirect |
string |
Template for the redirect back to the app after login. |
| tmpl_notok_part1 |
string |
Default: notok_part1 |
| tmpl_notok_part2 |
string |
Default: notok_part2 |
| tmpl_pinit_responce1 |
string |
Default: pinit_responce1 |
| tmpl_pinit_responce2 |
string |
Default: pinit_responce2 |
| tmpl_welcome_back |
string |
Default: welcome_back |
| kerberos_v5 verifier options |
| kerberos5_keytab | string | full path to the K5
keytab file |
| ldap verifier options |
| ldap_uri | list |
The LDAP URI in this format:
ldaps://host/o=searchbase???(uid=%s)?x-BindDN=Bind%20DN,x-Password=Password
ldap://host/o=searchbase???(uid=%s)?x-BindDN=Bind%20DN,x-Password=Password
- (uid=%s) is the search filter for finding an account by netid. The
%s will be replaced with the netid. The host string can optionally
contain a port number. The filter can only contain one %s at this time.
- x-BindDN and x-Password are the Bind DN and Password, URL
encoded.
(Commas must be encoded as %2c and spaces as %20.)
The x-BindDN and x-Password may be omitted entirely if the
connection is anonymous.
|
| cert_db_path | string |
Path to where Netscape's cert7.db and key3.db can be found.
Default: {PUBCOOKIE_DIR}/keys |
| Unsupported/experimental options |
| save_credentials | switch | Controls whether
flavor_basic saves a copy of the user's master
credentials for later use by flavor_getcred |
| getcred_authz_file | string | flavor_getcred uses
this file to determine who is authorized to request
what credentials |
![[Pubcookie Home Page]](/img/41x35-rings-only.gif){kind=small}
