.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "AUTH.CONF 5" .TH AUTH.CONF 5 "2022-11-25" "6.2.70" "sympa 6.2.70" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" auth.conf \- Configuration of authentication mechanisms for web interface of Sympa .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fIauth.conf\fR configuration file defines authentication mechanisms for web interface of Sympa. .SS "\fIauth.conf\fP structure" .IX Subsection "auth.conf structure" Each paragraph starts with one of the names \f(CW\*(C`user_table\*(C'\fR, \f(CW\*(C`ldap\*(C'\fR, \&\f(CW\*(C`generic_sso\*(C'\fR or \f(CW\*(C`cas\*(C'\fR. .PP The \fIauth.conf\fR file contains directives in the following format: .PP .Vb 4 \& name \& keyword value \& keyword value \& ... \& \& name \& keyword value \& keyword value \& ... .Ve .PP Comments start with the \f(CW\*(C`#\*(C'\fR character at the beginning of a line. .PP Empty lines are also considered as comments and are ignored at the beginning. After the first paragraph, they are considered as paragraph separators. There should only be one directive per line, but their order in the paragraph is of no importance. .PP Succeeding subsections describe available parameters in each paragraph. .ie n .SS """user_table"" paragraph" .el .SS "\f(CWuser_table\fP paragraph" .IX Subsection "user_table paragraph" This paragraph is related to Sympa internal authentication by email and password. Information of users are stored in \f(CW\*(C`user_table\*(C'\fR database table. This is the simplest one. .ie n .IP """regexp"" \fIregexp\fR" 4 .el .IP "\f(CWregexp\fR \fIregexp\fR" 4 .IX Item "regexp regexp" .PD 0 .ie n .IP """negative_regexp""" 4 .el .IP "\f(CWnegative_regexp\fR" 4 .IX Item "negative_regexp" .PD Perl regular expressions applied on an email address provided, to select or block this authentication mechanism for a subset of email addresses. .ie n .SS """ldap"" paragraph" .el .SS "\f(CWldap\fP paragraph" .IX Subsection "ldap paragraph" This paragraph allows one to login to Sympa using data taken from an \s-1LDAP\s0 directory. Login is done in two steps: .IP "\(bu" 4 User provide a user \s-1ID\s0 or an email address, with a password. These are used to retrieve their distinguished name (\s-1DN\s0) in the \s-1LDAP\s0 directory. .IP "\(bu" 4 The email attribute is extracted from the directory entry corresponding to the found \s-1DN.\s0 .PP Here is how to configure the \s-1LDAP\s0 authentication: .ie n .IP """regexp""" 4 .el .IP "\f(CWregexp\fR" 4 .IX Item "regexp" .PD 0 .ie n .IP """negative_regexp""" 4 .el .IP "\f(CWnegative_regexp\fR" 4 .IX Item "negative_regexp" .PD Same as in the \f(CW\*(C`user_table\*(C'\fR paragraph: If an email address is provided (this does \fInot\fR apply to the user \s-1ID\s0), then the regular expression will be applied to find out if the \s-1LDAP\s0 directory can be used to authenticate a subset of users. .ie n .IP """host""" 4 .el .IP "\f(CWhost\fR" 4 .IX Item "host" This keyword is \fBmandatory\fR. It is the domain name used in order to bind to the directory and then to extract information. You must mention the port number after the server name. Server replication is supported by listing several servers separated by commas (\f(CW\*(C`,\*(C'\fR). .Sp Example: .Sp .Vb 1 \& host ldap.univ\-rennes1.fr:389 \& \& host ldap0.university.com:389,ldap1.university.com:389,ldap2.university.com:389 .Ve .ie n .IP """timeout""" 4 .el .IP "\f(CWtimeout\fR" 4 .IX Item "timeout" It corresponds to the time limit in the search operation. A \f(CW\*(C`timelimit\*(C'\fR that restricts the maximum time (in seconds) allowed for a search. A value of \f(CW0\fR (the default) means that no time limit will be requested. .ie n .IP """suffix""" 4 .el .IP "\f(CWsuffix\fR" 4 .IX Item "suffix" The root of the \s-1DIT\s0 (directory information tree). The \s-1DN\s0 that is the base object entry relative to which the search is to be performed. .Sp Example: .Sp .Vb 1 \& dc=university,dc=fr .Ve .ie n .IP """bind_dn""" 4 .el .IP "\f(CWbind_dn\fR" 4 .IX Item "bind_dn" If anonymous bind is not allowed on the \s-1LDAP\s0 server, a \s-1DN\s0 and password can be used. .ie n .IP """bind_password""" 4 .el .IP "\f(CWbind_password\fR" 4 .IX Item "bind_password" This password is used, combined with the \f(CW\*(C`bind_dn\*(C'\fR above. .ie n .IP """get_dn_by_uid_filter""" 4 .el .IP "\f(CWget_dn_by_uid_filter\fR" 4 .IX Item "get_dn_by_uid_filter" Defines the search filter corresponding to the \f(CW\*(C`ldap_uid\*(C'\fR. (\s-1RFC 2254\s0 compliant). If you want to apply the filter on the user, use the variable \&\f(CW\*(C`[sender]\*(C'\fR. It will work with every type of authentication (user \s-1ID,\s0 \&\f(CW\*(C`alternate_email\*(C'\fR, ...). .Sp Example: .Sp .Vb 1 \& (Login = [sender]) \& \& (|(ID = [sender])(UID = [sender])) .Ve .ie n .IP """get_dn_by_email_filter""" 4 .el .IP "\f(CWget_dn_by_email_filter\fR" 4 .IX Item "get_dn_by_email_filter" Defines the search filter corresponding to the email addresses (canonic and alternative \-\-\- this is \s-1RFC 2254\s0 compliant). If you want to apply the filter on the user, use the variable \f(CW\*(C`[sender]\*(C'\fR. It will work with every type of authentication (user \s-1ID,\s0 \f(CW\*(C`alternate_email\*(C'\fR..). .Sp Example: a person is described by .Sp .Vb 10 \& dn: cn=Fabrice Rafart, ou=Siege, o=MaSociete, c=FR \& objectClass: person \& cn: Fabrice Rafart \& title: Network Responsible \& o: Siege \& ou: Data processing \& telephoneNumber: 01\-00\-00\-00\-00 \& facsimileTelephoneNumber: 01\-00\-00\-00\-00 \& l: Paris \& country: France \& uid: frafart \& mail: Fabrice.Rafart@MaSociete.fr \& alternate_email: frafart@MaSociete.fr \& alternate: rafart@MaSociete.fr .Ve .Sp The filters can be: .Sp .Vb 1 \& (mail = [sender]) \& \& (| (mail = [sender])(alternate_email = [sender]) ) \& \& (| (mail = [sender])(alternate_email = [sender])(alternate = [sender]) ) .Ve .ie n .IP """email_attribute""" 4 .el .IP "\f(CWemail_attribute\fR" 4 .IX Item "email_attribute" The name of the attribute for the canonic email in your directory: for instance \f(CW\*(C`mail\*(C'\fR, \f(CW\*(C`canonic_email\*(C'\fR, \f(CW\*(C`canonic_address\*(C'\fR, ... In the previous example, the canonic email is \f(CW\*(C`mail\*(C'\fR. .ie n .IP """alternative_email_attribute""" 4 .el .IP "\f(CWalternative_email_attribute\fR" 4 .IX Item "alternative_email_attribute" \&\fIObsoleted\fR. .Sp On Sympa 6.2.38 or earlier, web interface provided a cookie named \&\f(CW\*(C`sympa_altemails\*(C'\fR which contained attribute values specified by this parameter along with authenticated email address. This feature was deprecated. .ie n .IP """scope""" 4 .el .IP "\f(CWscope\fR" 4 .IX Item "scope" Default value: \f(CW\*(C`sub\*(C'\fR .Sp By default, the search is performed on the whole tree below the specified base object. This may be changed by specifying a scope: .RS 4 .ie n .IP """base""" 4 .el .IP "\f(CWbase\fR" 4 .IX Item "base" Search only the base object, .ie n .IP """one""" 4 .el .IP "\f(CWone\fR" 4 .IX Item "one" Search the entries immediately below the base object, .ie n .IP """sub""" 4 .el .IP "\f(CWsub\fR" 4 .IX Item "sub" Search the whole tree below the base object. This is the default. .RE .RS 4 .RE .ie n .IP """authentication_info_url""" 4 .el .IP "\f(CWauthentication_info_url\fR" 4 .IX Item "authentication_info_url" Defines the \s-1URL\s0 of a document describing \s-1LDAP\s0 password management. When hitting Sympa's \*(L"Send me a password\*(R" button, \s-1LDAP\s0 users will be redirected to this \s-1URL.\s0 .PP \fI\s-1TLS\s0 parameters\fR .IX Subsection "TLS parameters" .PP Following parameters are used to provide \s-1LDAPS\s0 (\s-1LDAP\s0 over \s-1TLS/SSL\s0): .ie n .IP """use_ssl"" (\s-1OBSOLETE\s0)" 4 .el .IP "\f(CWuse_ssl\fR (\s-1OBSOLETE\s0)" 4 .IX Item "use_ssl (OBSOLETE)" If set to \f(CW1\fR, connection to the \s-1LDAP\s0 server will use \s-1LDAPS\s0 (\s-1LDAP\s0 over \&\s-1TLS/SSL\s0). .Sp Obsoleted as of Sympa 6.2.15. Use \f(CW\*(C`use_tls\*(C'\fR instead. .ie n .IP """use_tls""" 4 .el .IP "\f(CWuse_tls\fR" 4 .IX Item "use_tls" Default value: \f(CW\*(C`none\*(C'\fR .RS 4 .ie n .IP """ldaps""" 4 .el .IP "\f(CWldaps\fR" 4 .IX Item "ldaps" Use \s-1LDAPS\s0 (\s-1LDAP\s0 over \s-1TLS/SSL\s0), .ie n .IP """starttls""" 4 .el .IP "\f(CWstarttls\fR" 4 .IX Item "starttls" Use StartTLS, .ie n .IP """none""" 4 .el .IP "\f(CWnone\fR" 4 .IX Item "none" \&\s-1TLS\s0 (\s-1SSL\s0) is disabled. .RE .RS 4 .RE .ie n .IP """ssl_version""" 4 .el .IP "\f(CWssl_version\fR" 4 .IX Item "ssl_version" Default value: \f(CW\*(C`tlsv1\*(C'\fR .Sp This defines the version of the \s-1TLS/SSL\s0 protocol to use. Possible values are \&\f(CW\*(C`sslv2\*(C'\fR, \f(CW\*(C`sslv3\*(C'\fR, \f(CW\*(C`tlsv1\*(C'\fR, \f(CW\*(C`tlsv1_1\*(C'\fR and \f(CW\*(C`tlsv1_2\*(C'\fR. .ie n .IP """ssl_ciphers""" 4 .el .IP "\f(CWssl_ciphers\fR" 4 .IX Item "ssl_ciphers" Specify which subset of cipher suites are permissible for this connection, using the standard OpenSSL string format. The default value of Net::LDAPS for ciphers is \f(CW\*(C`ALL\*(C'\fR, which permits all ciphers, even those that do not encrypt! .ie n .IP """ssl_cert""" 4 .el .IP "\f(CWssl_cert\fR" 4 .IX Item "ssl_cert" Path to client certificate. .Sp Introduced on Sympa 6.2. .ie n .IP """ssl_key""" 4 .el .IP "\f(CWssl_key\fR" 4 .IX Item "ssl_key" Path to the secret key of client certificate. .Sp Introduced on Sympa 6.2. .ie n .IP """ca_verify""" 4 .el .IP "\f(CWca_verify\fR" 4 .IX Item "ca_verify" \&\f(CW\*(C`none\*(C'\fR, \f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`required\*(C'\fR. If set to \f(CW\*(C`none\*(C'\fR, will never verify server certificate. Latter two need appropriate \f(CW\*(C`ca_path\*(C'\fR and/or \f(CW\*(C`ca_file\*(C'\fR settings. .Sp Introduced on Sympa 6.2. .ie n .IP """ca_path""" 4 .el .IP "\f(CWca_path\fR" 4 .IX Item "ca_path" Path to directory store of \s-1CA\s0 certificates. .Sp Introduced on Sympa 6.2. .ie n .IP """ca_file""" 4 .el .IP "\f(CWca_file\fR" 4 .IX Item "ca_file" Path to file store of \s-1CA\s0 certificates. .Sp Introduced on Sympa 6.2. .ie n .SS """generic_sso"" paragraph" .el .SS "\f(CWgeneric_sso\fP paragraph" .IX Subsection "generic_sso paragraph" .ie n .IP """regexp""" 4 .el .IP "\f(CWregexp\fR" 4 .IX Item "regexp" .PD 0 .ie n .IP """negative_regexp""" 4 .el .IP "\f(CWnegative_regexp\fR" 4 .IX Item "negative_regexp" .PD See \f(CW\*(C`user_table\*(C'\fR paragraph. .ie n .IP """service_name""" 4 .el .IP "\f(CWservice_name\fR" 4 .IX Item "service_name" This is the \s-1SSO\s0 service name that will be offered to the user in the login banner menu. .ie n .IP """service_id""" 4 .el .IP "\f(CWservice_id\fR" 4 .IX Item "service_id" This service \s-1ID\s0 is used as a parameter by Sympa to refer to the \s-1SSO\s0 service (instead of the service name). .Sp A corresponding \s-1URL\s0 on the local web server should be protected by the \s-1SSO\s0 system; this \s-1URL\s0 would look like \&\f(CW\*(C`http://yourhost.yourdomain/sympa/sso_login/inqueue\*(C'\fR if the \f(CW\*(C`service_id\*(C'\fR is "\f(CW\*(C`inqueue\*(C'\fR". .ie n .IP """http_header_list""" 4 .el .IP "\f(CWhttp_header_list\fR" 4 .IX Item "http_header_list" Sympa gets user attributes from environment variables coming from the web server. These variables are then cached in the \f(CW\*(C`user_table\*(C'\fR database table for later use in authorization scenarios (in structure). You can define a comma-separated list of header field names. .ie n .IP """http_header_prefix""" 4 .el .IP "\f(CWhttp_header_prefix\fR" 4 .IX Item "http_header_prefix" Only environment variables starting with the defined prefix will be kept. Another option is to list \s-1HTTP\s0 header fields explicitly using \&\f(CW\*(C`http_header_list\*(C'\fR parameter. .ie n .IP """email_http_header""" 4 .el .IP "\f(CWemail_http_header\fR" 4 .IX Item "email_http_header" This parameter defines the environment variable that will contain the authenticated user's email address. .ie n .IP """http_header_value_separator""" 4 .el .IP "\f(CWhttp_header_value_separator\fR" 4 .IX Item "http_header_value_separator" Default: \f(CW\*(C`;\*(C'\fR .Sp User attributes may be multi-valued (including the user email address. This parameter defines the values separator character(s). .ie n .IP """logout_url""" 4 .el .IP "\f(CWlogout_url\fR" 4 .IX Item "logout_url" This optional parameter allows one to specify the \s-1SSO\s0 logout \s-1URL.\s0 If defined, Sympa will redirect the user to this \s-1URL\s0 after the Sympa logout has been performed. .PP \fInetID mapping parameters\fR .IX Subsection "netID mapping parameters" .PP The following parameters define how Sympa can check the user email address, either provided by the \s-1SSO\s0 or by the user themselves: .ie n .IP """internal_email_by_netid""" 4 .el .IP "\f(CWinternal_email_by_netid\fR" 4 .IX Item "internal_email_by_netid" If set to \f(CW1\fR, this parameter makes Sympa use its \f(CW\*(C`netidmap\*(C'\fR table to associate net IDs to user email addresses. .ie n .IP """netid_http_header""" 4 .el .IP "\f(CWnetid_http_header\fR" 4 .IX Item "netid_http_header" This parameter defines the environment variable that will contain the user's identifier. This net \s-1ID\s0 will then be associated with an email address provided by the user. .ie n .IP """force_email_verify""" 4 .el .IP "\f(CWforce_email_verify\fR" 4 .IX Item "force_email_verify" If set to \f(CW1\fR, this parameter makes Sympa check the user's email address. If the email address was not provided by the authentication module, then the user is requested to provide a valid email address. .PP \fI\s-1LDAP\s0 parameters for generic \s-1SSO\s0\fR .IX Subsection "LDAP parameters for generic SSO" .PP The following parameters define how Sympa can retrieve the user email address; \fBthese are useful only in case the \f(CB\*(C`email_http_header\*(C'\fB entry was not defined\fR: .ie n .IP """ldap_host""" 4 .el .IP "\f(CWldap_host\fR" 4 .IX Item "ldap_host" The \s-1LDAP\s0 host Sympa will connect to fetch user email. The \f(CW\*(C`ldap_host\*(C'\fR include the port number and it may be a comma separated list of redundant hosts. .ie n .IP """ldap_bind_dn""" 4 .el .IP "\f(CWldap_bind_dn\fR" 4 .IX Item "ldap_bind_dn" The \s-1DN\s0 used to bind to this server. Anonymous bind is used if this parameter is not defined. .ie n .IP """ldap_bind_password""" 4 .el .IP "\f(CWldap_bind_password\fR" 4 .IX Item "ldap_bind_password" The password used unless anonymous bind is used. .ie n .IP """ldap_suffix""" 4 .el .IP "\f(CWldap_suffix\fR" 4 .IX Item "ldap_suffix" The \s-1LDAP\s0 suffix used when searching user email. .ie n .IP """ldap_scope""" 4 .el .IP "\f(CWldap_scope\fR" 4 .IX Item "ldap_scope" The scope used when searching user email. Possible values are \f(CW\*(C`sub\*(C'\fR, \f(CW\*(C`base\*(C'\fR and \f(CW\*(C`one\*(C'\fR. .ie n .IP """ldap_get_email_by_uid_filter""" 4 .el .IP "\f(CWldap_get_email_by_uid_filter\fR" 4 .IX Item "ldap_get_email_by_uid_filter" The filter used to perform the email search. It can refer to any environment variables inherited from the \s-1SSO\s0 module, as shown below. .Sp Example: .Sp .Vb 1 \& ldap_get_email_by_uid_filter (mail=[SSL_CLIENT_S_DN_Email]) .Ve .ie n .IP """ldap_email_attribute""" 4 .el .IP "\f(CWldap_email_attribute\fR" 4 .IX Item "ldap_email_attribute" The attribute name to be used as user canonical email. In the current version of Sympa, only the first value returned by the \s-1LDAP\s0 server is used. .ie n .IP """ldap_timeout""" 4 .el .IP "\f(CWldap_timeout\fR" 4 .IX Item "ldap_timeout" The time out for the search. .PP \fI\s-1TLS\s0 parameters\fR .IX Subsection "TLS parameters" .PP To support \s-1LDAPS\s0 (\s-1LDAP\s0 over \s-1SSL/TLS\s0), corresponding parameters in \f(CW\*(C`ldap\*(C'\fR paragraph may also be used for \f(CW\*(C`generic_sso\*(C'\fR. .ie n .SS """cas"" paragraph" .el .SS "\f(CWcas\fP paragraph" .IX Subsection "cas paragraph" Note that Sympa will act as a \s-1CAS\s0 client to validate \s-1CAS\s0 tickets. During this exchange, Sympa will check the \s-1CAS\s0 server X.509 certificate. Therefore you should ensure that the certificate authority of the \s-1CAS\s0 server is known by Sympa ; this should be configured through the cafile or capath \fIsympa.conf\fR configuration parameters. .ie n .IP """regexp""" 4 .el .IP "\f(CWregexp\fR" 4 .IX Item "regexp" .PD 0 .ie n .IP """negative_regexp""" 4 .el .IP "\f(CWnegative_regexp\fR" 4 .IX Item "negative_regexp" .PD See \f(CW\*(C`user_table\*(C'\fR paragraph. .ie n .IP """auth_service_name""" 4 .el .IP "\f(CWauth_service_name\fR" 4 .IX Item "auth_service_name" The authentication service name. Note that it is used as an identifier in the code; it should therefore be made of alphanumeric characters only, with no space. .ie n .IP """auth_service_friendly_name""" 4 .el .IP "\f(CWauth_service_friendly_name\fR" 4 .IX Item "auth_service_friendly_name" If defined, this string is proposed on the web login banner. .ie n .IP """host"" (\s-1OBSOLETE\s0)" 4 .el .IP "\f(CWhost\fR (\s-1OBSOLETE\s0)" 4 .IX Item "host (OBSOLETE)" This parameter has been replaced by \f(CW\*(C`base_url\*(C'\fR parameter. .ie n .IP """base_url""" 4 .el .IP "\f(CWbase_url\fR" 4 .IX Item "base_url" The base \s-1URL\s0 of the \s-1CAS\s0 server. .ie n .IP """non_blocking_redirection""" 4 .el .IP "\f(CWnon_blocking_redirection\fR" 4 .IX Item "non_blocking_redirection" \&\f(CW\*(C`on\*(C'\fR or \f(CW\*(C`off\*(C'\fR. Default value: \f(CW\*(C`on\*(C'\fR .Sp This parameter only concerns the first access to Sympa services by a user, it activates or not the non blocking redirection to the related \s-1CAS\s0 server to check automatically if the user as been previously authenticated with this \&\s-1CAS\s0 server. The redirection to \s-1CAS\s0 is used with the \s-1CGI\s0 parameter \&\f(CW\*(C`gateway=1\*(C'\fR that specifies to \s-1CAS\s0 server to always redirect the user to the original \s-1URL,\s0 but just check if the user is logged. If active, the \s-1SSO\s0 service is effective and transparent, but in case the \s-1CAS\s0 server is out of order, the access to Sympa services is impossible. .ie n .IP """login_uri"" (\s-1OBSOLETE\s0)" 4 .el .IP "\f(CWlogin_uri\fR (\s-1OBSOLETE\s0)" 4 .IX Item "login_uri (OBSOLETE)" This parameter has been replaced by the \f(CW\*(C`login_path\*(C'\fR parameter. .ie n .IP """login_path"" (\s-1OPTIONAL\s0)" 4 .el .IP "\f(CWlogin_path\fR (\s-1OPTIONAL\s0)" 4 .IX Item "login_path (OPTIONAL)" The login service path. .ie n .IP """check_uri"" (\s-1OBSOLETE\s0)" 4 .el .IP "\f(CWcheck_uri\fR (\s-1OBSOLETE\s0)" 4 .IX Item "check_uri (OBSOLETE)" This parameter has been replaced by the \f(CW\*(C`service_validate_path\*(C'\fR parameter. .ie n .IP """service_validate_path"" (\s-1OPTIONAL\s0)" 4 .el .IP "\f(CWservice_validate_path\fR (\s-1OPTIONAL\s0)" 4 .IX Item "service_validate_path (OPTIONAL)" The ticket validation service path. .ie n .IP """logout_uri"" (\s-1OBSOLETE\s0)" 4 .el .IP "\f(CWlogout_uri\fR (\s-1OBSOLETE\s0)" 4 .IX Item "logout_uri (OBSOLETE)" This parameter has been replaced by the \f(CW\*(C`logout_path\*(C'\fR parameter. .ie n .IP """logout_path"" (\s-1OPTIONAL\s0)" 4 .el .IP "\f(CWlogout_path\fR (\s-1OPTIONAL\s0)" 4 .IX Item "logout_path (OPTIONAL)" The logout service path. .ie n .IP """proxy_path"" (\s-1OPTIONAL\s0)" 4 .el .IP "\f(CWproxy_path\fR (\s-1OPTIONAL\s0)" 4 .IX Item "proxy_path (OPTIONAL)" The proxy service path, only used by the Sympa \s-1SOAP\s0 server. .ie n .IP """proxy_validate_path"" (\s-1OPTIONAL\s0)" 4 .el .IP "\f(CWproxy_validate_path\fR (\s-1OPTIONAL\s0)" 4 .IX Item "proxy_validate_path (OPTIONAL)" The proxy validate service path, only used by the Sympa \s-1SOAP\s0 server. .PP \fI\s-1LDAP\s0 parameters for \s-1CAS\s0\fR .IX Subsection "LDAP parameters for CAS" .ie n .IP """ldap_host""" 4 .el .IP "\f(CWldap_host\fR" 4 .IX Item "ldap_host" The \s-1LDAP\s0 host Sympa will connect to fetch user email when user uid is return by \s-1CAS\s0 service. The \f(CW\*(C`ldap_host\*(C'\fR includes the port number and it may be a comma separated list of redundant hosts. .ie n .IP """ldap_bind_dn""" 4 .el .IP "\f(CWldap_bind_dn\fR" 4 .IX Item "ldap_bind_dn" The \s-1DN\s0 used to bind to this server. Anonymous bind is used if this parameter is not defined. .ie n .IP """ldap_bind_password""" 4 .el .IP "\f(CWldap_bind_password\fR" 4 .IX Item "ldap_bind_password" The password used unless anonymous bind is used. .ie n .IP """ldap_suffix""" 4 .el .IP "\f(CWldap_suffix\fR" 4 .IX Item "ldap_suffix" The \s-1LDAP\s0 suffix used when searching user email. .ie n .IP """ldap_scope""" 4 .el .IP "\f(CWldap_scope\fR" 4 .IX Item "ldap_scope" The scope used when searching user email. Possible values are \f(CW\*(C`sub\*(C'\fR, \f(CW\*(C`base\*(C'\fR and \f(CW\*(C`one\*(C'\fR. .ie n .IP """ldap_get_email_by_uid_filter""" 4 .el .IP "\f(CWldap_get_email_by_uid_filter\fR" 4 .IX Item "ldap_get_email_by_uid_filter" The filter used to perform the email search. .ie n .IP """ldap_email_attribute""" 4 .el .IP "\f(CWldap_email_attribute\fR" 4 .IX Item "ldap_email_attribute" The attribute name to be used as user canonical email. In the current version of Sympa, only the first value returned by the \s-1LDAP\s0 server is used. .ie n .IP """ldap_timeout""" 4 .el .IP "\f(CWldap_timeout\fR" 4 .IX Item "ldap_timeout" The time out for the search. .PP \fI\s-1TLS\s0 parameters\fR .IX Subsection "TLS parameters" .PP To support \s-1LDAPS\s0 (\s-1LDAP\s0 over \s-1SSL/TLS\s0), corresponding parameters in ldap paragraph may also be used for cas. .SH "FILES" .IX Header "FILES" .IP "\fI\f(CI$DEFAULTDIR\fI/auth.conf\fR" 4 .IX Item "$DEFAULTDIR/auth.conf" Distribution default. This file should not be edited. .IP "\fI\f(CI$SYSCONFDIR\fI/auth.conf\fR" 4 .IX Item "$SYSCONFDIR/auth.conf" .PD 0 .IP "\fI\f(CI$SYSCONFDIR\fI//auth.conf\fR" 4 .IX Item "$SYSCONFDIR//auth.conf" .PD Configuration files for site-wide default and each robot. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBwwsympa\fR\|(8), \&\fBsympa_soap_server\fR\|(8). .PP Sympa::Auth. .SH "HISTORY" .IX Header "HISTORY" Descriptions of parameters were originally taken from the chapter \&\*(L"Authentication\*(R" in \&\fISympa, Mailing List Management Software \- Reference manual\fR, written by Serge Aumont, Soji Ikeda, Olivier Salau\*:n and David Verdin.