Connect to the Purdue Home Page

Purdue University

Identity and Access Management

The Realm Configuration File

The realm configuration file is maintained by the I2A2 administrator. Realms are created by inclusion in the configuration file, and their characteristics are set or changed by editing it. Configuration file changes take effect immediately.

Configuration File Syntax

  • The syntax of the configuration file is based on keywords (or keyword pairs) and their associated values (tokens). Keywords and tokens must be set off by at least one space, tab or newline; white space is otherwise ignored.
  • Comments are set off by pairs of braces ({})

General Keywords

  • REALM/REALM_END: A realm file may define multiple realms. Each realm definition within a configuration file is enclosed within this keyword pair.

  • NAME: This is the human-readable name of the realm that is passed to authcnetd.

  • ID: This is the realm's numeric ID, which is mostly used internally.

  • SADMIN: The PUID of the realm's super-administrator. Each realm must have a super-administrator, who is all-powerful within the realm.

  • ACL/ACL_END: Realm sub-administrators are created by listing them in access control list (ACL) entries. The ACL entries within a realm must be enclosed within this keyword pair.

  • ACL_ENTRY: a single ACL entry for a realm sub-administrator follows the ACL_ENTRY keyword. The entry gives the PUID of the sub-administrator, his permission mask, the PUID of the creator, and the time of creation (MM.DD.YYYY.HH.MM.SS). (The latter two values are somewhat arbitrary and currently unused.) The permission mask is given by mnemonic letters:
    • r -- read
    • w -- write
    • j -- join,unjoin
    • m -- modify real member ACLs (create, delete, modify)
    • a -- all permissions (equivalent to the super-administrator)

Authentication policy keywords - Different realms may desire different authentication policies to implement their security policies. These policies are controlled by the following keywords:

  • BADAUTH_MAX - the number of consecutive bad authentication attempts before an action given by BADAUTH_ACTION is triggered.

  • BADAUTH_ACTION - the action to take when BADAUTH_MAX is exceeded. One of:
    • NONE - The default policy if none is specified.
    • LOG - Log a security event that may be noted by an external procedure.
    • FREEZE - Return a NAK even if the password hash matches.
    • TEMPFREEZE - Like FREEZE, but with the possibility of thawing the account if the password hash matches and BADAUTH_BACKON seconds have elapsed

  • BADAUTH_BACKON - elapsed time in seconds before considering thawing an account when the TEMPFREEZE policy is in place. This parameter has no meaning unless TEMPFREEZE is also specified.

  • AUTH_THROTTLE - Minimum delay in milliseconds between authentication attempts. This throttles the number of authentication attempts per second per authcnetd connection. E.g., if it's set to 500, an artificial 0.5 second delay is introduced into each reply to an authentication request, and no more than 2 attempts per second could be made through a single authcnetd connection. N.B.: attackers may make an arbitrarily large number of authcnetd connections, limited only by overall system resources.

Encryption type keywords The ETYPE keyword specifies the encryption to use for converting clear text passwords into password hashes to store in the DBM. The supported types and their definitions are given in puid_etypes.h and described here.

Trust relationship keywords Realms may choose to trust authentication credentials from other realms. The TRUSTED and TRUSTED_END keyword pair bounds a list of realm names that the current realm wishes to trust. For example:

trusted
   purdue boiler
trusted_end
          

indicates that the realm currently being defined desires to trust the "purdue" and "boiler" realms.

A sample realm configuration file

Feedback | Contact Purdue | Style Standards
Maintained by: IAMO Team

Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University | An equal access/equal opportunity university | Copyright Complaints
If you have trouble accessing this page because of a disability, please contact the CSC at itap@purdue.edu or (765) 494-4000.