Hello, Oleg, Thank you for your interest in cosign friend. I hope my answers help you get things working.
On Mar 23, 2008, at 11:05 PM, Oleg Polovinkin wrote: > Hi all! > > I spent much time, searching for any detailed documentation on > configuration of > friend feature - and didn't find anything. :( All I have is several > test files, > included in friend 2.0.2. But that's not enough for me. :( > > Please, tell me, if any detailed information on friend present in > the internet? > And if no - please answer to some questions. I'm placing > friend.conf here with > my questions. > > dbhost:localhost > dbuser:someuser > dbpasswd:somepass > xmlrpcserver:xmlrpc.host.edu > -------- cut - > what xmlrpcserver is used for? Do I really need it? And should I > install it > somewhere? And how should I configure it? > If you would like to use the invitation interface, then yes. Friend allows three ways to create an account: 1) A user navigates to the 'main' friend page and enters their e-mail address. 2) A user goes to the 'invite' page and enters several e-mail addresses. Each e-mail address is sent a friend account creation invite. 3) An application talks to the xml-rpc server, 'acquaintance', and provides the e-mail address(es) to send invites to. 2) is actually just an end-user interface to 3). Friend can function just fine without the xml-rpc interface, but you will lose the ability to send "mass" or application-initiated invites. Also, be sure to provide cosign-protection and restrict the users that can actually use the invite interface! Leaving it wide open is asking for abuse and phishing attacks (since the e-mails are intended to look like 'official' correspondence from your organization). > xmlrpcpath:/acquaintance/ > realm:host.edu > -------- cut - > what is "realm" used for? If I want to use cosign for auth for > several sites > wich have completely different domain names - what should I use as > realm? > This is used to prevent people with an e-mail address ending in "host.edu" from creating friend accounts. The assumption here is that people who have a valid Kerberos principal should use that to authenticate to cosign. > maxinvites:50 These are the maximum invites that a user can send at a single time. > invitecontact:[EMAIL PROTECTED] > invitesubject:host.edu Friend Account Invitation > requestsubject:host.edu Friend Account Request > friendServer:friend.host.edu These are used for populating various fields in the friend invitation e-mail. For example, the template for the e-mail will use friendServer to populate the text so it looks something like this: "If you need to reset your password, visit https://friend.host.edu/ friend/account/" > -------- cut - > if "friendServer" just name of host, where "friend" scripts are > running? > > pinlife:300 > -------- cut - > what is this? something like ttl of guest account? if so - is it > 300 seconds, > hours, or years? :) and how can I make it infinite? > This is the length of time the account creation unique pin is good for. The time is in minutes, iirc. Really, the pins are only ~8 characters, so this is used as a cheap way to mitigate collisions. > minpasswordlength:5 > minpasswordscore:2 > cert:/etc/certs/friend.host.edu.pem > -------- cut - > what cert should I place here (accouring to wiki setup) - cosignd, > cgi, > mod_cosign? or separate one? > It should be the certificate that the friend system uses to talk to itself over xml-rpc. > allow:friend.host.edu > allow:gateway.host.edu > -------- cut - > allow what? should I write here names of hosts, that must use > friend-cosign for > auth their users? and how's it interferes with cosign.conf? > "Allow" refers to the SSL certificate CN of servers that are allowed to talk to the xml-rpc server. It should at least allow itself to talk to itself... unless you're not using the xml-rpc portion. Jarod > > I'm sorry, guys - so small config and so much dull questions... : > ( But I feel > myself completely stuck and don't know, what to do. :( Please, > answer, if you can! > > Sincerely > Oleg Polovinkin > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Cosign-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
