Sympa documentation licensed under GPL
auth.conf - Configuration of authentication mechanisms for web interface of Sympa
The auth.conf
configuration file defines authentication mechanisms for web
interface of Sympa.
auth.conf
structureEach paragraph starts with one of the names user_table
, ldap
,
generic_sso
or cas
.
The auth.conf
file contains directives in the following format:
name
keyword value
keyword value
...
name
keyword value
keyword value
...
Comments start with the #
character at the beginning of a line.
Empty lines are also considered as comments and are ignored at the beginning. After the first paragraph, they are considered as paragraph separators. There should only be one directive per line, but their order in the paragraph is of no importance.
Succeeding subsections describe available parameters in each paragraph.
user_table
paragraphThis paragraph is related to Sympa internal authentication by email and
password. Information of users are stored in user_table
database table.
This is the simplest one.
regexp
regexpnegative_regexp
Perl regular expressions applied on an email address provided, to select or block this authentication mechanism for a subset of email addresses.
ldap
paragraphThis paragraph allows one to login to Sympa using data taken from an LDAP directory. Login is done in two steps:
Here is how to configure the LDAP authentication:
regexp
negative_regexp
Same as in the user_table
paragraph: If an email address is provided (this
does not apply to the user ID), then the regular expression will be applied
to find out if the LDAP directory can be used to authenticate a subset of
users.
host
This keyword is mandatory. It is the domain name used in order to bind to
the directory and then to extract information. You must mention the port
number after the server name. Server replication is supported by listing
several servers separated by commas (,
).
Example:
host ldap.univ-rennes1.fr:389
host ldap0.university.com:389,ldap1.university.com:389,ldap2.university.com:389
timeout
It corresponds to the time limit in the search operation. A timelimit
that
restricts the maximum time (in seconds) allowed for a search. A value of 0
(the default) means that no time limit will be requested.
suffix
The root of the DIT (directory information tree). The DN that is the base object entry relative to which the search is to be performed.
Example:
dc=university,dc=fr
bind_dn
If anonymous bind is not allowed on the LDAP server, a DN and password can be used.
bind_password
This password is used, combined with the bind_dn
above.
get_dn_by_uid_filter
Defines the search filter corresponding to the ldap_uid
. (RFC 2254
compliant). If you want to apply the filter on the user, use the variable
[sender]
. It will work with every type of authentication (user ID,
alternate_email
, …).
Example:
(Login = [sender])
(|(ID = [sender])(UID = [sender]))
get_dn_by_email_filter
Defines the search filter corresponding to the email addresses (canonic and
alternative — this is RFC 2254 compliant). If you want to apply the filter
on the user, use the variable [sender]
. It will work with every type of
authentication (user ID, alternate_email
..).
Example: a person is described by
dn: cn=Fabrice Rafart, ou=Siege, o=MaSociete, c=FR
objectClass: person
cn: Fabrice Rafart
title: Network Responsible
o: Siege
ou: Data processing
telephoneNumber: 01-00-00-00-00
facsimileTelephoneNumber: 01-00-00-00-00
l: Paris
country: France
uid: frafart
mail: Fabrice.Rafart@MaSociete.fr
alternate_email: frafart@MaSociete.fr
alternate: rafart@MaSociete.fr
The filters can be:
(mail = [sender])
(| (mail = [sender])(alternate_email = [sender]) )
(| (mail = [sender])(alternate_email = [sender])(alternate = [sender]) )
email_attribute
The name of the attribute for the canonic email in your directory: for
instance mail
, canonic_email
, canonic_address
, … In the previous
example, the canonic email is mail
.
alternative_email_attribute
Obsoleted.
On Sympa 6.2.38 or earlier, web interface provided a cookie named
sympa_altemails
which contained attribute values specified by this
parameter along with authenticated email address.
This feature was deprecated.
scope
Default value: sub
By default, the search is performed on the whole tree below the specified base object. This may be changed by specifying a scope:
base
Search only the base object,
one
Search the entries immediately below the base object,
sub
Search the whole tree below the base object. This is the default.
authentication_info_url
Defines the URL of a document describing LDAP password management. When hitting Sympa’s “Send me a password” button, LDAP users will be redirected to this URL.
Following parameters are used to provide LDAPS (LDAP over TLS/SSL):
use_ssl
(OBSOLETE)
If set to 1
, connection to the LDAP server will use LDAPS (LDAP over
TLS/SSL).
Obsoleted as of Sympa 6.2.15. Use use_tls
instead.
use_tls
Default value: none
ldaps
Use LDAPS (LDAP over TLS/SSL),
starttls
Use StartTLS,
none
TLS (SSL) is disabled.
ssl_version
Default value: tlsv1
This defines the version of the TLS/SSL protocol to use. Possible values are
sslv2
, sslv3
, tlsv1
, tlsv1_1
and tlsv1_2
.
ssl_ciphers
Specify which subset of cipher suites are permissible for this connection,
using the standard OpenSSL string format. The default value of Net::LDAPS for
ciphers is ALL
, which permits all ciphers, even those that do not encrypt!
ssl_cert
Path to client certificate.
Introduced on Sympa 6.2.
ssl_key
Path to the secret key of client certificate.
Introduced on Sympa 6.2.
ca_verify
none
, optional
or required
. If set to none
, will never verify
server certificate. Latter two need appropriate ca_path
and/or ca_file
settings.
Introduced on Sympa 6.2.
ca_path
Path to directory store of CA certificates.
Introduced on Sympa 6.2.
ca_file
Path to file store of CA certificates.
Introduced on Sympa 6.2.
generic_sso
paragraphregexp
negative_regexp
See user_table
paragraph.
service_name
This is the SSO service name that will be offered to the user in the login banner menu.
service_id
This service ID is used as a parameter by Sympa to refer to the SSO service (instead of the service name).
A corresponding URL on the local web server should be protected by the SSO
system; this URL would look like
http://yourhost.yourdomain/sympa/sso_login/inqueue
if the service_id
is
“inqueue
”.
http_header_list
Sympa gets user attributes from environment variables coming from the web
server. These variables are then cached in the user_table
database table
for later use in authorization scenarios (in structure). You can define a
comma-separated list of header field names.
http_header_prefix
Only environment variables starting with the defined prefix will be kept.
Another option is to list HTTP header fields explicitly using
http_header_list
parameter.
email_http_header
This parameter defines the environment variable that will contain the authenticated user’s email address.
http_header_value_separator
Default: ;
User attributes may be multi-valued (including the user email address. This parameter defines the values separator character(s).
logout_url
This optional parameter allows one to specify the SSO logout URL. If defined, Sympa will redirect the user to this URL after the Sympa logout has been performed.
The following parameters define how Sympa can check the user email address, either provided by the SSO or by the user themselves:
internal_email_by_netid
If set to 1
, this parameter makes Sympa use its netidmap
table to
associate net IDs to user email addresses.
netid_http_header
This parameter defines the environment variable that will contain the user’s identifier. This net ID will then be associated with an email address provided by the user.
force_email_verify
If set to 1
, this parameter makes Sympa check the user’s email address. If
the email address was not provided by the authentication module, then the
user is requested to provide a valid email address.
The following parameters define how Sympa can retrieve the user email
address; these are useful only in case the email_http_header
entry was
not defined:
ldap_host
The LDAP host Sympa will connect to fetch user email. The ldap_host
include the port number and it may be a comma separated list of redundant
hosts.
ldap_bind_dn
The DN used to bind to this server. Anonymous bind is used if this parameter is not defined.
ldap_bind_password
The password used unless anonymous bind is used.
ldap_suffix
The LDAP suffix used when searching user email.
ldap_scope
The scope used when searching user email. Possible values are sub
, base
and one
.
ldap_get_email_by_uid_filter
The filter used to perform the email search. It can refer to any environment variables inherited from the SSO module, as shown below.
Example:
ldap_get_email_by_uid_filter (mail=[SSL_CLIENT_S_DN_Email])
ldap_email_attribute
The attribute name to be used as user canonical email. In the current version of Sympa, only the first value returned by the LDAP server is used.
ldap_timeout
The time out for the search.
To support LDAPS (LDAP over SSL/TLS), corresponding parameters in ldap
paragraph may also be used for generic_sso
.
cas
paragraphNote that Sympa will act as a CAS client to validate CAS tickets. During this
exchange, Sympa will check the CAS server X.509 certificate. Therefore you
should ensure that the certificate authority of the CAS server is known by
Sympa ; this should be configured through the cafile
or capath sympa.conf
configuration parameters.
regexp
negative_regexp
See user_table
paragraph.
auth_service_name
The authentication service name. Note that it is used as an identifier in the code; it should therefore be made of alphanumeric characters only, with no space.
auth_service_friendly_name
If defined, this string is proposed on the web login banner.
host
(OBSOLETE)
This parameter has been replaced by base_url
parameter.
base_url
The base URL of the CAS server.
non_blocking_redirection
on
or off
. Default value: on
This parameter only concerns the first access to Sympa services by a user, it
activates or not the non blocking redirection to the related CAS server to
check automatically if the user as been previously authenticated with this
CAS server. The redirection to CAS is used with the CGI parameter
gateway=1
that specifies to CAS server to always redirect the user to the
original URL, but just check if the user is logged. If active, the SSO
service is effective and transparent, but in case the CAS server is out of
order, the access to Sympa services is impossible.
login_uri
(OBSOLETE)
This parameter has been replaced by the login_path
parameter.
login_path
(OPTIONAL)
The login service path.
check_uri
(OBSOLETE)
This parameter has been replaced by the service_validate_path
parameter.
service_validate_path
(OPTIONAL)
The ticket validation service path.
logout_uri
(OBSOLETE)
This parameter has been replaced by the logout_path
parameter.
logout_path
(OPTIONAL)
The logout service path.
proxy_path
(OPTIONAL)
The proxy service path, only used by the Sympa SOAP server.
proxy_validate_path
(OPTIONAL)
The proxy validate service path, only used by the Sympa SOAP server.
ldap_host
The LDAP host Sympa will connect to fetch user email when user uid is return
by CAS service. The ldap_host
includes the port number and it may be a
comma separated list of redundant hosts.
ldap_bind_dn
The DN used to bind to this server. Anonymous bind is used if this parameter is not defined.
ldap_bind_password
The password used unless anonymous bind is used.
ldap_suffix
The LDAP suffix used when searching user email.
ldap_scope
The scope used when searching user email. Possible values are sub
, base
and one
.
ldap_get_email_by_uid_filter
The filter used to perform the email search.
ldap_email_attribute
The attribute name to be used as user canonical email. In the current version of Sympa, only the first value returned by the LDAP server is used.
ldap_timeout
The time out for the search.
To support LDAPS (LDAP over SSL/TLS), corresponding parameters in ldap paragraph may also be used for cas.
$DEFAULTDIR/auth.conf
Distribution default. This file should not be edited.
$SYSCONFDIR/auth.conf
$SYSCONFDIR/<robot name>/auth.conf
Configuration files for site-wide default and each robot.
wwsympa(8), sympa_soap_server(8).
Descriptions of parameters were originally taken from the chapter “Authentication” in Sympa, Mailing List Management Software - Reference manual, written by Serge Aumont, Soji Ikeda, Olivier Salaün and David Verdin.
The content of this page is automatically generated from the source distribution of Sympa. For details about this document see original source file.
Theme originally designed by orderedlist