rubycas-server 0.5.1 → 0.6.0

data/CHANGELOG.txt

@@ -1,3 +1,41 @@
+=== 0.6.0 :: 2008-03-28
+
+* Much of the supporting functionality that makes RubyCAS-Server
+  act as a well-behaved Linux service has been abstracted out
+  into its own library. This new library is called Picnic and is
+  now a gem dependency for RubyCAS-Server. You can find out more about
+  it at http://code.google.com/p/camping-picnic/.
+* The logout action will now accept a 'destination' parameter in lieu of
+  'service'. This means that if a 'destination' parameter is given with
+  some URL, the logout action will show the login form, allowing the user
+  to immedietly log back in to the service specified by 'destination'.
+* The logout action will now accept a 'url' parameter. If given, the logout
+  page will show a message indicating that the CAS session has been terminated
+  and instructing the user to click on a link to follow the given URL. If the
+  'url' parameter is given, the login form will NOT be shown on the logout
+  page (see above).
+* When an authentication failure occurs (because the user submitted
+  invalid credentials or the login ticket is missing), the server
+  now returns a 401 (Unauthorized) response instead of 200.
+* An encryption-enabled version of the SQL authenticator is now
+  available. For more info have a look at:
+  http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
+* Better compatibility with Oracle databases. The database migration 
+  no longer tries to create tables with long names when long
+  table names are not supported by the underlying database connector
+  (issue #15).
+* The server now automatically removes leading and trailing whitespace from
+  the username entered by users. Passwords however are left intact, with no
+  whitespace removed.
+* The server can now be configured to automatically downcase the
+  username entered by users (dowcase_username option). So if a user
+  enters "JSmith", the system will convert it to "jsmith" if the
+  downcase_username option is set to true.
+* The server can now be made to bind to a specific address. See the
+  :bind_address option in the config.example.yml file.
+* Fixed bug with ActiveRecord 2.0.2 where service tickets were not
+  being given a type (issue #37).
+
 === 0.5.1 :: 2007-12-20
 
 * Tickets generated by the server should now be a lot more secure.

data/Manifest.txt

@@ -12,15 +12,18 @@ lib/casserver/authenticators/active_directory_ldap.rb
 lib/casserver/authenticators/base.rb
 lib/casserver/authenticators/ldap.rb
 lib/casserver/authenticators/sql.rb
+lib/casserver/authenticators/sql_encrypted.rb
 lib/casserver/authenticators/test.rb
 lib/casserver/cas.rb
 lib/casserver/conf.rb
 lib/casserver/controllers.rb
+lib/casserver/environment.rb
 lib/casserver/models.rb
 lib/casserver/postambles.rb
 lib/casserver/utils.rb
 lib/casserver/version.rb
 lib/casserver/views.rb
+lib/rubycas-server.rb
 lib/themes/cas.css
 lib/themes/notice.png
 lib/themes/ok.png
@@ -35,18 +38,8 @@ lib/themes/urbacon/theme.css
 lib/themes/warning.png
 resources/init.d.sh
 setup.rb
+test/test_cas.rb
 test/test_casserver.rb
-vendor/camping-1.5.180/CHANGELOG
-vendor/camping-1.5.180/COPYING
-vendor/camping-1.5.180/README
-vendor/camping-1.5.180/Rakefile
-vendor/camping-1.5.180/lib/camping-unabridged.rb
-vendor/camping-1.5.180/lib/camping.rb
-vendor/camping-1.5.180/lib/camping/db.rb
-vendor/camping-1.5.180/lib/camping/fastcgi.rb
-vendor/camping-1.5.180/lib/camping/reloader.rb
-vendor/camping-1.5.180/lib/camping/session.rb
-vendor/camping-1.5.180/lib/camping/webrick.rb
 vendor/isaac_0.9.1/LICENSE
 vendor/isaac_0.9.1/README
 vendor/isaac_0.9.1/TODO

data/README.txt

@@ -1,6 +1,6 @@
 = RubyCAS-Server
 
-*Copyright*:: 2007 Urbacon Ltd.
+*Copyright*:: 2008 Urbacon Ltd.
 *Authors*::   Matt Zukowski <matt at roughest dot net>, Jason Zylks
 *Homepage*::  http://rubycas-server.googlecode.com
 

data/Rakefile

@@ -19,9 +19,9 @@ RUBYFORGE_PROJECT = "rubycas-server" # The unix name for your project
 HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
 
 DEPS = [
-#  ['camping', '>= 1.5'], # camping is now bundled with rubycas-server
   ['activesupport', '>= 1.4.0'],
-  ['activerecord', '>=1.15.3']
+  ['activerecord', '>=1.15.3'],
+  ['picnic', '>=0.6.3']
 ]
 
 

data/bin/rubycas-server

@@ -1,56 +1,25 @@
 #!/usr/bin/env ruby
 
-require 'optparse'
-
-local_casserver = File.expand_path(File.dirname(File.expand_path(__FILE__))+'/../lib/casserver.rb')
-if File.exists? local_casserver
-  # use local rubycas-server installation
-  $: << File.dirname(local_casserver)
-  path = File.dirname(local_casserver)+"/"
+if File.exists?(picnic = File.expand_path(File.dirname(File.expand_path(__FILE__))+'/../vendor/picnic/lib'))
+  $: << picnic
+elsif File.exists?(picnic = File.expand_path(File.dirname(File.expand_path(__FILE__))+'/../../picnic/lib'))
+  $: << picnic
 else
-  # use gem installation
-  path = ""
   require 'rubygems'
-  gem 'rubycas-server'
-end
-
-OptionParser.new do |opts|
-  opts.banner = "Usage: rubycas-server [options]"
-
-  opts.on("-c", "--config FILE", "Use config file (default is /etc/rubycas-server/config.yml)") do |c|
-  	puts "Using config file #{c}"
-    $CONFIG_FILE = c
-  end
   
-  opts.on("-d", "--daemonize", "Run as a daemon (only when using webrick or mongrel)") do |c|
-    $DAEMONIZE = true
-  end
-
-  opts.on("-P", "--pid_file FILE", "Use pid file (default is /etc/rubycas-server/rubycas-server.pid)") do |c|
-    if $DAEMONIZE && !File.exists?(c)
-      puts "Using pid file '#{c}'"
-      $PID_FILE = c
-    elsif File.exists?(c)
-      puts "The pid file already exists.  Is rubycas-server running?\n" +
-      	"You will have to first manually remove the pid file at '#{c}' to start the server as a daemon."
-      exit 1
-    else
-      puts "Not running as Daemon.  Ignoring pid option"
-    end
-  end
-
-  opts.on_tail("-h", "--help", "Show this message") do
-    puts opts
-    exit
+  # make things backwards-compatible for rubygems < 0.9.0
+  unless Object.method_defined? :gem
+    alias gem require_gem
   end
   
-  opts.on_tail("-v", "--version", "Show version number") do
-  	require "#{path}casserver/version"
-    puts "rubycas-server-#{CASServer::VERSION::STRING}"
-    exit
-  end
-end.parse!
+  gem 'picnic'
+end
+
+require 'picnic/cli'
 
-$RUN = true
+cli = Picnic::Cli.new(
+  'rubycas-server',
+  :app_path => File.expand_path(File.dirname(File.expand_path(__FILE__)))
+)
 
-load "#{path}casserver.rb"
+cli.handle_cli_input

data/bin/rubycas-server-ctl

@@ -1,163 +1,22 @@
 #!/usr/bin/env ruby
 
-require 'optparse'
-
-@options = {}
-@options[:pid_file] = "/etc/rubycas-server/rubycas-server.pid"
-@options[:conf_file] = nil
-@options[:verbose] = false
-
-def start
-  # use local rubycas-server bin if it exists and is executable -- makes debugging easier
-  bin = File.dirname(File.expand_path(__FILE__)) + "/rubycas-server"
-
-  if File.exists?(bin)
-    exec = "ruby #{bin}"
-  else
-    exec = "rubycas-server"
-  end
+if File.exists?(picnic = File.expand_path(File.dirname(File.expand_path(__FILE__))+'/../vendor/picnic/lib'))
+  $: << picnic
+elsif File.exists?(picnic = File.expand_path(File.dirname(File.expand_path(__FILE__))+'/../../picnic/lib'))
+  $: << picnic
+else
+  require 'rubygems'
   
-  case get_state
-  when :ok
-    $stderr.puts "rubycas-server is already running"
-    exit 1
-  when :not_running, :empty_pid
-    $stderr.puts "The pid file '#{@options[:pid_file]}' exists but rubycas-server is not running." +
-      " The pid file will be automatically deleted for you, but this shouldn't have happened!"
-    File.delete(@options[:pid_file])
-  when :dead
-    $stderr.puts "The pid file '#{@options[:pid_file]}' exists but rubycas-server is not running." +
-      " Please delete the pid file first."
-    exit 1
-  when :missing_pid
-    # we should be good to go (unless the server is already running without a pid file)
-  else
-    $stderr.puts "rubycas-server could not be started. Try looking in the log file for more info."
-    exit 1
+  # make things backwards-compatible for rubygems < 0.9.0
+  unless Object.method_defined? :gem
+    alias gem require_gem
   end
-  	
-  cmd = "#{exec} -d -P #{@options[:pid_file]}"
-  cmd += " -c #{@options[:conf_file]}" if !@options[:conf_file].nil?
-  
-  puts ">>> #{cmd}" if @options[:verbose]
-  
-  output = `#{cmd}`
   
-  puts "<<< #{output}" if @options[:verbose]
-  
-  if s = get_state == :ok
-    exit 0
-  else
-    $stderr.puts "rubycas-server could not start properly! (#{s})\nTry running with the --verbose option for details." 
-    case s
-    when :missing_pid
-      exit 4
-    when :not_running
-      exit 3
-    when :dead
-      exit 1
-    else
-      exit 4
-    end
-  end
+  gem 'picnic'
 end
 
-def stop
-  if File.exists? @options[:pid_file]
-    pid = open(@options[:pid_file]).read.to_i
-    begin
-      Process.kill("TERM", pid)
-      exit 0
-    rescue Errno::ESRCH
-      $stderr.puts "rubycas-server process '#{pid}' does not exist."
-      exit 1
-    end
-  else
-    $stderr.puts "#{@options[:pid_file]} not found.  Is rubycas-server running?"
-    exit 4
-  end
-end
+require 'picnic/service_control'
 
-def status
-  case get_state
-  when :ok
-    puts "rubycas-server appears to be up and running."
-    exit 0
-  when :missing_pid
-    $stderr.puts "rubycas-server does not appear to be running (pid file not found)."
-    exit 3
-  when :empty_pid
-    $stderr.puts "rubycas-server does not appear to be running (pid file exists but is empty)."
-  when :not_running
-    $stderr.puts "rubycas-server is not running."
-    exit 1
-  when :dead
-    $stderr.puts "rubycas-server is dead or unresponsive."
-    exit 102
-  end
-end
-
-def get_state
-  if File.exists? @options[:pid_file]
-    pid = File.read(@options[:pid_file]).strip
-    
-    return :empty_pid unless pid and !pid.empty? # pid file exists but is empty
-    
-    state = `ps -p #{pid} -o state=`.strip
-    if state == ''
-      return :not_running
-    elsif state == 'R' || state == 'S'
-      return :ok
-    else
-      return :dead
-    end
-  else
-    # TODO: scan through the process table to see if server is running without pid file
-    return :missing_pid
-  end
-end
-
-OptionParser.new do |opts|
-  opts.banner = "Usage: #{$0} (start|stop|restart) [options]"
-  opts.banner += "\nruby-server-ctl is only usable when using webrick or mongrel"
- 
-  opts.on("-c", "--config FILE", "Path to rubycas-server configuration file") { |value| @options[:conf_file] = value }
-  opts.on("-P", "--pid_file FILE", "Path to rubycas-server pid file") { |value| @options[:pid_file] = value }
-  opts.on('-v', '--verbose', "Print all called commands and output.") { |value| @options[:verbose] = value }
-
-  if ARGV.empty?
-    puts opts
-    exit
-  else
-    @cmd = opts.parse!(ARGV)
-    if @cmd.nil?
-      puts opts
-      exit
-    end
-  end
-end
-
-if !@options[:conf_file].nil? && !File.exists?(@options[:conf_file])
-  puts "Invalid path to rubycas-server configuration file: #{@options[:conf_file]}"
-  exit
-end
-
-case @cmd[0]
-when "start": 
-  puts "Starting rubycas-server..."
-  start
-when "stop":
-  puts "Stopping rubycas-server..."
-  stop
-when "restart":
-  puts "Restarting rubycas-server..."
-  stop
-  start
-when "status":
-  puts "Checking status of rubycas-server..."
-  status
-else
- puts "Invalid command. Usage: rubycas-server-ctl [-cPv] start|stop|restart|status"
-end
+ctl = Picnic::ServiceControl.new('rubycas-server')
 
-exit
+ctl.handle_cli_input

data/config.example.yml

@@ -1,39 +1,62 @@
 # IMPORTANT NOTE ABOUT YAML CONFIGURATION FILES
-# ---> Be sure to use spaces instead of tabs for indentation. Yaml is white-space sensitive!
+# ---> Be sure to use spaces instead of tabs for indentation. YAML is 
+#      white-space sensitive!
 
-##### SERVER ########################################################################
+##### SERVER ###################################################################
 
 # Under what environment are you running the CAS server? The following methods
 # are currently supported:
 #
 # webrick -- run as a stand-alone webrick server; this is the default method
-# mongrel -- run as a stand-alone mongrel server; fast, but you'll need to install
-#            mongrel and run it behind an https reverse proxy like Pound or Apache 2.2's mod_proxy)
-# cgi     -- slow, but simple to set up if you're already familliar with deploying CGI scripts
-# fastcgi -- see http://www.fastcgi.com (e.g. under Apache you can use this with mod_fastcgi)
+# mongrel -- run as a stand-alone mongrel server; fast, but you'll need to 
+#            install mongrel and run it behind an https reverse proxy like Pound 
+#            or Apache 2.2's mod_proxy)
+# cgi     -- slow, but simple to set up if you're already familliar with 
+#            deploying CGI scripts
+# fastcgi -- see http://www.fastcgi.com (e.g. under Apache you can use this with 
+#            mod_fastcgi)
 #
 # The cgi and fastcgi methods have not been thoroughly tested! 
 # Please report any problems to the authors.
 # 
-# IMPORTANT: If you use mongrel, you will need to run the server behind a reverse proxy 
-#            (Pound, Apache 2.2 with mod_proxy, etc.) since mongrel does not support SSL/HTTPS.
-#            See the RubyCAS-Server install docs for more info. Also, mongrel requries
-#            Camping 1.5.180 which as of writing is only available via SVN. You can install
-#            this by running `gem install camping --source code.whytheluckystiff.net`
+# IMPORTANT: If you use mongrel, you will need to run the server behind a 
+#            reverse proxy (Pound, Apache 2.2 with mod_proxy, etc.) since 
+#            mongrel does not support SSL/HTTPS. See the RubyCAS-Server install 
+#            docs for more info.
 
 ### webrick example
 
 server: webrick
 port: 443
 ssl_cert: /path/to/your/ssl.pem
-# ssl_key: /path/to/your/private_key.pem  <-- if private key is separate from cert
 
-### mongrel example (since mongrel doesn't support SSL on its own, you will have to run
-###  this behind an https reverse proxy)
+# If private key is separate from cert
+#ssl_key: /path/to/your/private_key.pem
+
+# By default the login page will be available at the root path 
+# (e.g. https://example.foo/). The uri_path option lets you serve it from a 
+# different path (e.g. https://example.foo/cas).
+#uri_path: /cas
+
+# Bind the server to a specific address. Use 0.0.0.0 to listen on all
+# available interfaces.
+#bind_address: 0.0.0.0
+
+### mongrel example (since mongrel doesn't support SSL on its own, you will have
+###  to run this behind an https reverse proxy)
 
 #server: mongrel
 #port: 110011
 
+# By default the login page will be available at the root path 
+# (e.g. https://example.foo/). The uri_path option lets you serve it from a 
+# different path (e.g. https://example.foo/cas).
+#uri_path: /cas
+
+# Bind the server to a specific address. Use 0.0.0.0 to listen on all
+# available interfaces.
+#bind_address: 0.0.0.0
+
 ### cgi example (you'll need to serve this via an SSL-capable server like Apache)
 
 #server: cgi
@@ -43,11 +66,12 @@ ssl_cert: /path/to/your/ssl.pem
 #server: fastcgi
 
 
-##### DATABASE #######################################################################
+##### DATABASE #################################################################
 
 # Set up the database connection. Make sure that this database is secure!
 # 
-# By default, we use MySQL, since it is widely used and does not require any additional
+# By default, we use MySQL, since it is widely used and does not require any 
+# additional
 # ruby libraries besides ActiveRecord.
 #
 # With MySQL, your config would be something like the following:
@@ -62,34 +86,39 @@ database:
   host: localhost
 
 #
-# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else supported 
-# by ActiveRecord.
+# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else 
+# supported by ActiveRecord.
 #
-# With SQLite3 (which does not require a separate database server), your configuration
-# would look something like the following (don't forget to install the 
-# sqlite3-ruby gem beforehand!):
+# With SQLite3 (which does not require a separate database server), your 
+# configuration would look something like the following (don't forget to install 
+# the sqlite3-ruby gem beforehand!):
 #
 #database:
 #  adapter: sqlite3
 #  dbfile: /var/lib/casserver.db
   
 
-##### AUTHENTICATION #################################################################
+##### AUTHENTICATION ###########################################################
 
 # Configure how username/passwords are validated.
 #
-# !!! YOU MUST CONFIGURE ONE (AND ONLY ONE) OF THESE AUTHENTICATION METHODS !!!
+# !!! YOU MUST CONFIGURE ONE OF THESE AUTHENTICATION METHODS !!!
 #
 # Currently there are three built-in methods for authentication:
-# SQL, ActiveDirectory, and LDAP. If none of these work for you, it is relatively
-# easy to write your own custom Authenticator class.
+# SQL, ActiveDirectory, and LDAP. If none of these work for you, it is 
+# relatively easy to write your own custom Authenticator class.
+#
+# === SQL Authentication =======================================================
 #
-# ==> SQL Authentication:
 # The simplest method is to validate against a SQL database. This assumes
 # that all of your users are stored in a table that has a 'username' column
 # and a 'password' column. When the user logs in, CAS conects to this database
-# and look for a matching username/password in the users table. If a matching
+# and looks for a matching username/password in the users table. If a matching
 # username and password is found, authentication is successful.
+#
+# If you prefer to have your passwords stored in an encrypted form, have a 
+# look at the SQLEncrypted authenticator: 
+# http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
 # 
 # Example:
 #
@@ -101,12 +130,13 @@ database:
 #    username: root
 #    password: 
 #    server: localhost
-#  user_table: user
+#  user_table: users
 #  username_column: username
 #  password_column: password
 #
 #
-# ==> ActiveDirectory Authentication:
+# === ActiveDirectory Authentication ===========================================
+#
 # This method authenticates against Microsoft's Active Directory using LDAP.
 # You must enter your ActiveDirectory server, and base DN. The port number
 # and LDAP filter are optional. You must also enter a CN and password
@@ -137,12 +167,13 @@ database:
 # omit the auth_user and auth_password values in the above example.
 #
 #
-# ==> LDAP Authentication:
+# === LDAP Authentication ======================================================
+#
 # This is a more general version of the ActiveDirectory authenticator.
 # The configuration is similar, except you don't need an authenticator
 # username or password. Note that this authenticator hasn't been widely
 # tested, so it is not guaranteed to work.
-#
+#=====
 #authenticator:
 #  class: CASServer::Authenticators::ActiveDirectoryLDAP
 #  ldap:
@@ -152,19 +183,21 @@ database:
 #    filter: (objectClass=person)
 #
 #
-# ==> Custom Authentication:
+# === Custom Authentication ====================================================
+#
 # It should be relatively easy to write your own Authenticator class. Have a look
 # at the built-in authenticators in the casserver/authenticators directory. Your
 # authenticator should extend the CASServer::Authenticators::Base class and must
-# implement a validate() method that takes a single hash argument. When the user submits
-# the login form, the username and password they entered is passed to validate()
-# as a hash under :username and :password keys. In the future, this hash
-# might also contain other data such as the domain that the user is logging in to.
+# implement a validate() method that takes a single hash argument. When the user 
+# submits the login form, the username and password they entered is passed to 
+# validate() as a hash under :username and :password keys. In the future, this 
+# hash might also contain other data such as the domain that the user is logging 
+# in to.
 #
-# To use your custom authenticator, specify it's class name and path to the source file 
-# in the authenticator section of the config. Any other parameters you specify in the 
-# authenticator configuration will be passed on to the authenticator and made availabe in
-# the validate() method as an @options hash.
+# To use your custom authenticator, specify it's class name and path to the 
+# source file in the authenticator section of the config. Any other parameters 
+# you specify in the authenticator configuration will be passed on to the 
+# authenticator and made availabe in the validate() method as an @options hash.
 #
 # Example:
 #
@@ -174,10 +207,11 @@ database:
 #  option_a: foo
 #  another_option: yeeha
 #
-# ==> Multiple Authenticators
-# If you need to have more than one source for authentication, such as an LDAP directory
-# and a database, you can use multiple authenticators by making :authenticator an array
-# of authenticators.
+# === Multiple Authenticators ==================================================
+#
+# If you need to have more than one source for authentication, such as an LDAP 
+# directory and a database, you can use multiple authenticators by making 
+# :authenticator an array of authenticators.
 #
 #authenticator:
 #  -
@@ -203,15 +237,17 @@ database:
 # authenticator and on failure fall through to the second authenticator.
 #
 
-##### LOOK & FEEL ######################################################################
+
+##### LOOK & FEEL ##############################################################
 
 # Set the path to the theme directory that determines how your CAS pages look. 
 #
-# Custom themes are not well supported yet, but will be in the near future. In the
-# meantime, if you want to create a custom theme, you can create a subdirectory
-# under the CASServer's themes dir (for example, '/usr/lib/ruby/1.8/gems/casserver-xxx/lib/themes',
-# if you installed CASServer on Linux as a gem). A theme is basically just a theme.css
-# file that overrides the themes/cas.css styles along with a collection of image files
+# Custom themes are not well supported yet, but will be in the near future. In 
+# the meantime, if you want to create a custom theme, you can create a 
+# subdirectory under the CASServer's themes dir (for example, 
+# '/usr/lib/ruby/1.8/gems/casserver-xxx/lib/themes', if you installed CASServer 
+# on Linux as a gem). A theme is basically just a theme.css file that overrides 
+# the themes/cas.css styles along with a collection of image files
 # like logo.png and bg.png.
 #
 # By default, we use the 'simple' theme which you can find in themes/simple.
@@ -220,15 +256,18 @@ theme: simple
 # The name of your company/organization. This will show up on the login page.
 organization: CAS
 
-# A short bit of text that shows up on the login page. You can make this blank if you prefer.
+# A short bit of text that shows up on the login page. You can make this blank 
+# if you prefer to have no extra text shown at the bottom of the login box.
 infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
 
 # Custom views file.  Overrides methodes in lib/casserver/views.rb
 #custom_views_file: /path/to/custom/views.rb
 
-##### LOGGING #########################################################################
 
-# Configure general logging. This log is where you'll want to look in case of problems.
+##### LOGGING ##################################################################
+
+# Configure general logging. This log is where you'll want to look in case of 
+# problems.
 #
 # You may want to change the file to something like /var/log/casserver.log
 # Set the level to DEBUG if you want more detailed logging.
@@ -239,31 +278,41 @@ log:
 
 
 # If you want full database logging, uncomment this next section.
-# Every SQL query will be logged here. This is useful for debugging database problems.
+# Every SQL query will be logged here. This is useful for debugging database 
+# problems.
 #
 #db_log:
 #  file: /var/log/casserver_db.log
 
 
-##### OTHER ###########################################################################
+##### OTHER ####################################################################
 
 # You can set various ticket expiry times (specify the value in seconds).
 
-# Expired login and service tickets are no longer usable this many seconds after they 
-# are created. (Defaults to 5 minutes)
+# Expired login and service tickets are no longer usable this many seconds after 
+# they are created. (Defaults to 5 minutes)
 
 #login_ticket_expiry: 300
 #service_ticket_expiry: 300
 
-# Proxy- and ticket-granting tickets do not expire -- normally they are made invalid only 
-# when the user logs out. But the server must periodically delete them to prevent buildup of
-# stale data. PGTs and TGTs will be deleted during server startup if they are this many
-# seconds old. (Defaults to 48 hours)
+# Proxy- and ticket-granting tickets do not expire -- normally they are made 
+# invalid only when the user logs out. But the server must periodically delete 
+# them to prevent buildup of stale data. PGTs and TGTs will be deleted during 
+# server startup if they are this many seconds old. (Defaults to 48 hours)
 
 #proxy_granting_ticket_expiry: 172800
 #ticket_granting_ticket_expiry: 172800
 
-# If you would prefer that ticket-granting ticket expiry be enforced (in effect limiting
-# the maximum length of a session), you can set expire_sessions to true.
+# If you would prefer that ticket-granting ticket expiry be enforced (in effect 
+# limiting the maximum length of a session), you can set expire_sessions to true.
+
+#expire_sessions: false
+
+
+# If you want the usernames entered on the login page to be automatically 
+# downcased (converted to lowercase), enable the following option. When this 
+# option is set to true, if the user enters "JSmith" as their username, the 
+# system will automatically
+# convert this to "jsmith".
 
-# expire_sessions: false
+#downcase_username: true