We did write one. I updated it to strip out the @brandeis.edu if it is
there. However, whenever the username has @brandeis.edu, our LDAP factor
doesn't get executed. It seems like Cosign sees the @brandeis.edu and
returns the "Unable to..." error before it executes our LDAP factor.
On Mon, Jul 14, 2014 at 2:07 PM, Liam Hoekenga <li...@umich.edu> wrote:
> There are instructions in the cosign wiki on how to implement an LDAP
> factor, but cosign doesn't actually come with one..
>
>
> http://webapps.itcs.umich.edu/cosign/index.php/Cosign_Wiki:Test_install_HOWTO#Factors
>
> Did you guys write one? You could probably update the LDAP factor to
> strip the domain from the username. If you're using the sample LDAP
> factor, it should be pretty easy to do.
>
> You'd probably also need to create a passwd config line and tell it to
> ignore @brandeis.edu
>
> Liam
>
>
> On Mon, Jul 14, 2014 at 1:56 PM, Michael Ghen <mikeg...@brandeis.edu>
> wrote:
>
>> There is an LDAP factor. We're looking for a solution that doesn't
>> involve adding javascript on top of the login web page.
>>
>>
>> On Mon, Jul 14, 2014 at 1:54 PM, Liam Hoekenga <li...@umich.edu> wrote:
>>
>>> I think you could strip it out using javascript.
>>>
>>> Did you write an LDAP factor? Are you using PAM?
>>>
>>> Liam
>>>
>>>
>>> On Mon, Jul 14, 2014 at 1:50 PM, Michael Ghen <mikeg...@brandeis.edu>
>>> wrote:
>>>
>>>> I do not see @brandeis.edu anywhere. I think it only shows up when
>>>> someone manually types it after their username. Is there a way to configure
>>>> cosign such that if it sees @brandeis.edu it will still just check
>>>> Active Directory? Basically just ignore the @brandeis.edu?
>>>>
>>>>
>>>> On Mon, Jul 14, 2014 at 1:42 PM, Liam Hoekenga <li...@umich.edu> wrote:
>>>>
>>>>> Do you see @brandeis.edu show up in the UI? Something's got to be
>>>>> adding it before the form is POSTed, otherwise the mysql stuff wouldn't be
>>>>> getting invoked.
>>>>>
>>>>> Liam
>>>>>
>>>>>
>>>>> On Mon, Jul 14, 2014 at 12:57 PM, Michael Ghen <mikeg...@brandeis.edu>
>>>>> wrote:
>>>>>
>>>>>> Thanks again, I appreciate the help. We use AD via LDAP. I'm not sure
>>>>>> that we're seeing occurrences of "@brandeis....@brandeis.edu" that
>>>>>> was just a hunch. Do you have any other suggestions for things to try?
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 14, 2014 at 11:49 AM, Liam Hoekenga <li...@umich.edu>
>>>>>> wrote:
>>>>>>
>>>>>>> I was mostly thinking that if you wanted to, you could use passwd to
>>>>>>> configure usernames containing @brandeis.edu to point at a kerberos
>>>>>>> realm instead of the guest system.
>>>>>>> Are you using AD via LDAP or kerberos? I believe that "passwd" only
>>>>>>> lets you configure kerberos and guest (mysql), so if you're using LDAP
>>>>>>> or
>>>>>>> PAM to actually handle the authentication, it probably wouldn't be
>>>>>>> useful.
>>>>>>>
>>>>>>> The @brandeis.edu and the "cannot connect to guest database" are
>>>>>>> pretty clearly connected.
>>>>>>> The occurrences of "@brandeis....@brandeis.edu" suggest to me that
>>>>>>> maybe you've got something in the UI that's updating the form value. An
>>>>>>> over-zealous javascript? A default value in the username field of the
>>>>>>> login form?
>>>>>>>
>>>>>>> Liam
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 14, 2014 at 11:39 AM, Michael Ghen <
>>>>>>> mikeg...@brandeis.edu> wrote:
>>>>>>>
>>>>>>>> We use Active Directory.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Jul 14, 2014 at 11:35 AM, Liam Hoekenga <li...@umich.edu>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Are you using kerberos on the backend?
>>>>>>>>>
>>>>>>>>> Liam
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Jul 14, 2014 at 11:34 AM, Michael Ghen <
>>>>>>>>> mikeg...@brandeis.edu> wrote:
>>>>>>>>>
>>>>>>>>>> Thanks Liam,
>>>>>>>>>>
>>>>>>>>>> I am not using the passwd directive. Will using it resolve this
>>>>>>>>>> issue?
>>>>>>>>>>
>>>>>>>>>> Mike
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 14, 2014 at 11:22 AM, Liam Hoekenga <li...@umich.edu>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> The man page for cosign.conf explains the "Unable to connect to
>>>>>>>>>>> guest account database" error:
>>>>>>>>>>>
>>>>>>>>>>> The keyword passwd is used to control password based
>>>>>>>>>>> authentication of
>>>>>>>>>>> a user using the Kerberos and MySQL internal
>>>>>>>>>>> authenticators. Where this
>>>>>>>>>>> keyword is not specified, usernames containing an ’@’ are
>>>>>>>>>>> authenticated
>>>>>>>>>>> through mysql, all other usernames are authenticated with
>>>>>>>>>>> Kerberos.
>>>>>>>>>>>
>>>>>>>>>>> Are you using the "passwd" directive in your cosign.conf?
>>>>>>>>>>> If so, what do the entries look like?
>>>>>>>>>>>
>>>>>>>>>>> Liam
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 14, 2014 at 10:06 AM, Michael Ghen <
>>>>>>>>>>> mikeg...@brandeis.edu> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> My name is Mike and I work at Brandeis University where we use
>>>>>>>>>>>> Cosign. Recently, we've noticed that when a user enters their
>>>>>>>>>>>> username with
>>>>>>>>>>>> @brandeis.edu at the end, they recieve this error: "Unable to
>>>>>>>>>>>> connect to guest account database."
>>>>>>>>>>>>
>>>>>>>>>>>> We're trying to remove this error so that user can still sign
>>>>>>>>>>>> in but we're unsure about where it is generated. We think that
>>>>>>>>>>>> cosign is
>>>>>>>>>>>> appending "@brandeis.edu" before it looks up the account which
>>>>>>>>>>>> would make the username have "...@brandeis....@brandeis.edu."
>>>>>>>>>>>> We could not find anything in the configuration files to suggest
>>>>>>>>>>>> that is
>>>>>>>>>>>> the case. While we explore other options, I figured I would reach
>>>>>>>>>>>> out for
>>>>>>>>>>>> help from the Cosign community. If anyone has any suggestions or
>>>>>>>>>>>> can offer
>>>>>>>>>>>> any guidance, please let me know.
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you,
>>>>>>>>>>>>
>>>>>>>>>>>> Mike
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>> Want fast and easy access to all the code in your enterprise?
>>>>>>>>>>>> Index and
>>>>>>>>>>>> search up to 200,000 lines of code with a free copy of Black
>>>>>>>>>>>> Duck®
>>>>>>>>>>>> Code Sight™ - the same software that powers the world's
>>>>>>>>>>>> largest code
>>>>>>>>>>>> search on Ohloh, the Black Duck Open Hub! Try it now.
>>>>>>>>>>>> http://p.sf.net/sfu/bds
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Cosign-discuss mailing list
>>>>>>>>>>>> Cosign-discuss@lists.sourceforge.net
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
