The following should be an authoratative list of run-time configurable variables for the login server, keyserver, keyclient and mod_pubcookie. Some of these variables are shared by all of the code (they're used in libpubcookie) while many of them pertain just to the login server.
See config.sample for an example file containing the minimum options.
| Name | Type | Description |
|---|---|---|
| debug | int | Non-zero value enables debug logging. The higher the number, the more debugging output that is generated. |
| logging_level | int | Increase with your level of frustration. |
| login_host | string | The hostname of login server |
| login_uri | string | The complete URI of the login cgi |
| logout_prog | string | The name under which the logout program was invoked, includes the path. |
| login_servers | list | List of all of the login servers for our domain; keyserver uses this to distribute keys to the other login servers |
| ssl_ca_file | string | Path and filename of the Cerificate Authority which signed our SSL key |
| ssl_ca_path | string | Path of directory containing CA certificates named by their hashes for all CAs that we should trust |
| ssl_cert_file | string | Path and filename of our SSL certificate |
| ssl_key_file | string | Path and filename of our SSL key |
| granting_key_file | string | Path and filename of the secret portion of the granting keypair (only found on login servers) |
| granting_cert_file | string | Path and filename of the public portion of the granting keypair (found on all servers) |
| default_l_expire | int | |
| min_countdown | int | |
| kiosk_keys | list | |
| kiosk_values | list | |
| enterprise_domain | string | The DNS domain under which all hosts will live. must be at least a second level domain (e.g. example.edu); used to scope cookies for communication between the login server and app servers |
| keymgt_uri | string | the location of the "keyserver" CGI. |
| keydir | string | location of DES keys used for encrypting cookies sent to the app server |
| umask | string | umask used when creating files |
| general_facility | string | The log facility to log general log messages |
| audit_facility | string | The log facility to log audit log messages |
| login cgi specific options | ||
| basic_verifier | string | The verifier to use for the "basic" flavor |
| append_realm | switch | If true, the authentication realm is appended to the user name after authentication but before issuing cookies (eg, the cookie will contain user@REALM) |
| default_realm | string | optional default authentication realm to pass to the verifier when none is submitted via the form |
| mirrorfile | string | full path to a file to keep a mirrored copy of all output sent to the client by the most recent call to the login cgi |
| kerberos_v5 verifier options | ||
| kerberos5_keytab | string | full path to the K5 keytab file |
| ldap verifier options | ||
| ldap_uri | list | The LDAP URI in this format:
ldaps://host/o=searchbase???(uid=%s)?x-BindDN=Bind%20DN,x-Password=Password
ldap://host/o=searchbase???(uid=%s)?x-BindDN=Bind%20DN,x-Password=Password
|
| Unsupported/experimental options | ||
| save_credentials | switch | Controls whether flavor_basic saves a copy of the user's master credentials for later use by flavor_getcred |
| getcred_authz_file | string | flavor_getcred uses this file to determine who is authorized to request what credentials |