<!-- $Id: site.conf-std 2503 2010-06-23 16:56:53Z brachman $ -->

<!-- ** DO NOT EDIT THIS FILE -->
<!-- ** This is the standard site.conf file for your release of DACS. -->
<!-- ** This file may be changed with each new release of DACS. -->
<!-- ** Put customizations in your dacs.conf file. -->
<!-- ** See dacs.conf(5) for information about these directives. -->

<Configuration>

<Default>
# TURN OFF ONLY FOR TESTING PURPOSES!
SECURE_MODE "on"

STATUS_LINE "off"

NAME_COMPARE "case"

# Establish default URL prefixes for the default access control rules.
# Examine acls/acl-* in the distribution directory to see how these
# variables are used.
# Adjust or override these as necessary for your environment.
EVAL ${Conf::dacs_cgi_bin_prefix} = "/cgi-bin/dacs"
#EVAL ${Conf::dacs_sbin_prefix} = "${Conf::DACS_HOME}/sbin"
EVAL ${Conf::dacs_htdocs_prefix} = ""

# You might consider setting this to ".cgi" or ".exe" so that the default
# access control rules work for DACS CGI executables.
#EVAL ${Conf::dacs_cgi_bin_suffix} = ${Conf::CGI_SUFFIX}

# Used by ustamp(), this must be a pathname, not a vfs object
#EVAL ${Conf::ustamp_seqno} = "${Conf::DACS_HOME}/federations/seqno"

# Enable for testing purposes only!
ALLOW_HTTP_COOKIE "no"

# See dacs_auth_agent(8)
AUTH_AGENT_ALLOW_ADMIN_IDENTITY "no"

#LOG_FILE "${Conf::DACS_HOME}/logs/${Conf::JURISDICTION_NAME}-" . strftime("%d-%b-%y") . ".log"
LOG_FILE "/var/log/dacs/${Conf::JURISDICTION_NAME}.log"
#LOG_FORMAT ${Env::REMOTE_ADDR:e} ? "[%t] [%l] [%p,%c,%F] [%sp:\"%sm\",%sf:%sl]" : "%a[%l]:"
#LOG_LEVEL ${Env::REMOTE_ADDR:e} ? "INFO" : undef()
LOG_LEVEL "notice"
LOG_SENSITIVE "no"
# Since it produces a lot of logging when tracing, override the default log
# level for messages produced by the file crypt.c; for that file only, set
# the log level to "debug"
LOG_FILTER 'filename exact debug "crypto.c"'


AUTH_FAIL_DELAY_SECS 2

VERIFY_IP "no"

# Override this if you must, but this default will avoid potential problems
# and assorted complications if a request can be associated with multiple
# identities
ACS_CREDENTIALS_LIMIT "1"

# The backward compatible default is to chuck the arguments and continue
# if there is a problem with POST arguments
#ACS_POST_EXCEPTION_MODE "discard"

AUTH_CREDENTIALS_ADMIN_LIFETIME_SECS "20"
AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS "43200"

# Optional: A single DACS username eligible for administrative rights
# This directive may be repeated to define multiple admins
#ADMIN_IDENTITY "METALOGIC:rmorriso"

# Default access control handlers
# Note that these error handlers use local web-paths (relative to the
# DocumentRoot), not full file pathnames.  For the default configuration to
# work properly, they require an Apache Alias directive to be configured to map
# "/handlers" to "${Conf::DACS_HOME}/www/handlers".
ACS_ERROR_HANDLER    "* /handlers/acs_failed.html"

# Default authentication and signout handlers
# Since these are relative URLs, the Alias directive must be used as
# explained above.
# Note that the syntaxes of these directives are different from that of
# ACS_ERROR_HANDLER.
#AUTH_SUCCESS_HANDLER "url /handlers/auth_ok.html"
AUTH_SUCCESS_HANDLER "url /cgi-bin/dacs/dacs_prenv"
AUTH_ERROR_HANDLER   "* url /handlers/auth_failed.html"
SIGNOUT_HANDLER      "url /handlers/signout_ok.html"

# These handlers can only be URLs (absolute or relative)
NOTICES_ACCEPT_HANDLER "/handlers/notices_accepted.html"
NOTICES_DECLINE_HANDLER "/handlers/notices_declined.html"

NOTICES_ACK_HANDLER ""
NOTICES_SECURE_HANDLER "yes"
NOTICES_WORKFLOW_LIFETIME_SECS 120
NOTICES_NAT_NAME_PREFIX "NAT-DACS"

SSL_PROG "${Conf::DACS_HOME}/bin/sslclient"
# Override this if you need it - this example is undoubtedly incorrect
#SSL_PROG_CA_CRT "${Conf::APACHE_HOME}/conf/dacs.example.com/ssl.crt/server.crt"
SSL_PROG_CA_CRT "/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt"

# The default digest algorithm to use for DACS password entries
PASSWORD_DIGEST "SHA1"

# The URLs for schemas and DTDs used by DACS
# Configure for your environment
XSD_BASE_URL "/dtd-xsd"
DTD_BASE_URL "/dtd-xsd"

# The location of a directory containing the DTDs
VFS "[dtds]dacs-fs:${Conf::DACS_HOME}/www/dtd-xsd"

# The location of a file containing federation-wide encryption keys
VFS "[federation_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/federation_keyfile"

# The location of a file containing jurisdiction-specific encryption keys
VFS "[jurisdiction_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/jurisdiction_keyfile"

# The location of a directory containing the revocation file ("revocations")
VFS "[revocations]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/acls/revocations"

# The location of the root directory containing jurisdictional ACLs
VFS "[acls]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/acls"

# The location of the root directory containing default ACLs for DACS services
#VFS "[dacs_acls]dacs-fs:${Conf::DACS_HOME}/acls"
VFS "[dacs_acls]dacs-fs:/etc/dacs/acls"

# The location of the root directory for groups
VFS "[groups]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/groups"

# The pseudo-type mounted on the DACS password file
VFS "[passwds]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/passwd"

# The pseudo-type mounted on the DACS roles file
VFS "[roles]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/roles"

# For dacstoken/local_token_authenticate
VFS "[auth_token]dacs-kwv-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_tokens"
VFS "[auth_token_keys]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_token_keys"
VFS "[auth_token_keys_prev]dacs-fs:${Conf::FEDERATIONS_ROOT}/${Conf::FEDERATION_DOMAIN}/${Conf::JURISDICTION_NAME}/auth_token_keys.prev"

# This partially determines when a user agent will send a DACS cookie.
# Set it to the most specific URL path under which all DACS-wrapped
# services appear.  This is particularly important if some CGI programs
# at the jurisdiction are not trusted, since they might be used to steal
# DACS identities.
COOKIE_PATH "/"

HTTP_PROG "${Conf::DACS_HOME}/bin/http"

# InfoCard-related defaults
# This assumes there is an Apache 'Alias' directive; e.g.,
#     Alias /infocards "/usr/local/dacs/www/infocards/"
INFOCARD_CARD_IMAGE_BASE_URL  "${Conf::DACS_HOME}/www/infocards"
INFOCARD_CARD_OUTPUTDIR       "${Conf::DACS_HOME}/www/infocards/output"
INFOCARD_IP_PRIVACY_URL       "/infocards/managed_privacy_default.txt"
INFOCARD_IP_PRIVACY_VERSION   "1"

</Default>

</Configuration>