cosign－建立cosign.conf文件（六）

建立cosign.conf文件，解析cgi
内容如下：
## [Common to cgi and cosignd]
# TLS parameters
set cosigncadir /var/www/html/CAroot/CA/　　　//更改ＣA 路径
set cosigncert /var/www/html/CAroot/cgi.crt       //更改路径
set cosignkey /var/www/html/CAroot/cgi.key     //更改路径


## [cosignd-specific]
# Allow access to cosignd with cgi-level privileges (REGISTER new sessions)
# from this CommonName (CN is from the TLS certificate)
#cgi cgi-1
cgi cosignd.local

# Allow cosignd access with service-level privileges (CHECK existing sessions)
# from these CN (they need not match the source IP or domain name). cosign 3.0
# only allows clients access to service cookies which are associated with the
# certificate presented by the client.
#
# Note that the validation URLs here are using insecure http. You do not want to
# use insecure http in a production deployment of cosign.
service cosign-list http://portal.local/cosign/valid 0  0
service cosign-ldapadmin http://groupware.local/cosign/valid 0 mod_cosign-1
service cosign-groupware http://groupware.local/cosign/valid 0 mod_cosign-1

# service lines include regular expressions and support substitution of matches.
# E.g.:
#
# service cosign-(groupware) http://$1.local/cosign/valid 0 mod_cosign-1

# In the ldapadmin example, we restrict access to the service at the
# Apache level (CosignRequireFactor admin). Alternatively we can
# centralise access restrictions at the cosignd level:
#cookie ldapadmin reauth ldap admin
# Note: you can specify multiple factors.
# By default, a cookie is granted as long as one factor is enabled.


## [cgi-specific]
# cosignd host (it must match the server's CN!)
set cosignhost cosignd.local

#set zhanglina.com  
# Grab this user's factor:
# - argument 3 and later are name(s) of <FORM>/POST fields from the template
# - at least one factor is required for authentication to succeed
# - a factor executable only returns 1 factor name
# - factor names can be used by mod_cosign (CosignRequireFactor)
# - "-2" means this secondary script is started only if another one was successful
#factor /usr/lib/cosign/factor/test login password
#factor /var/www/html/cosign/factor/test login password
factor /var/www/html/cosign/factor/ldap login password
factor /var/www/html/cosign/factor/admin -2 login

# Override the default template directories,
# so our changes won't be overwritten by an unfortunate 'make install'
set cosigntmpldir /var/www/html/cosign/templates-local

set cosignlogouturl https://weblogin.local
set cosignloopurl https://weblogin.local/cosign/looping.html