[cvs] [Wiki] changed: CASAuthHowTo

Tue Jun 20 06:19:02 PDT 2006

guest [134.58.253.114]  Tue, 20 Jun 2006 06:19:02 -0700

Modified page: http://wiki.horde.org/CASAuthHowTo
New Revision:  1.1
Change log:  1

@@ -1,26 +1,23 @@
 + CAS Authentication !HowTo
 
 ++ WORK IN PROGRESS
 
-   Jan Vander Velpen aka Velpi (who did all the work)
+   Jan Van der Velpen aka Velpi (who did all the work)
    Peter Arien aka Kaos99 (who just likes playing around with Horde)
   Thanks go to the [http://www.ja-sig.org/products/cas/ Ja-Sig] and the [http://esup-portail.org/consortium/espace/SSO_1B/tech/cas/cas_install.html ESUP] people!!
 
 [http://www.kuleuven.be/ Our university] is working towards a complete AAI (Authentication and Authorization Infrastructure) implementation. For web applications we are using the [http://shibboleth.internet2.edu/ Shibboleth architecture]. But as you can read in [ShibbolethAuthHowTo the Shibboleth Authentication HowTo],  a big problem with AAI and webapplications is authentication on the backend (with Horde/IMP that would be the mailservers). What we needed was a way to prevent the password passing the webmail servers AND the mailservers.
 
 Enter CAS. 
 
-One of the authentication backends in our AAI is a CAS server (http://www.ja-sig.org/products/cas/index.html). We used the ESUP pam module (referenced [http://www.ja-sig.org/wiki/display/CAS/PAM+Module here]) to let our mailservers use the CAS server as a possible authentication service. 
-
-Here's how the cas lines in our mailserver pam-config looks like:
+We chose to use CAS (http://www.ja-sig.org/products/cas/index.html) as an authentication mechanism on top of Shibboleth. Because both Shibboleth and CAS do the initial authentication at the CAS server, users will see it is one integrated SSO system.
 
+First we used the ESUP pam module (referenced [http://www.ja-sig.org/wiki/display/CAS/PAM+Module here]) to let our mailservers use the CAS server as a possible authentication service. Here's how the cas lines in our mailserver pam-config looks like:
 {{/etc/pam.conf:}}
-
 <code> imap    auth    sufficient      /usr/lib/security/pam_cas.so -simap://127.0.0.1 -f/etc/pam_cas.conf
  imap    auth    sufficient      /usr/lib/security/pam_ldap.so try_first_pass
 </code>
-
 {{/etc/pam_cas.conf:}}
 
 <code> host cas.example.com
  port 80
@@ -29,12 +26,16 @@
  debug off
  proxy https://webmail.example.com/hordecas/casProxy.php
  trusted_ca /etc/pki/example.com.chain
 </code>
+note that this configuration means we're validating the PT to our CAS server at port 80 (regular http), which isn't the best thing to do considering security, but it saves quite some CPU cycles.
+If you're not sure about the network between your IMAP and CAS server then certainly use SSL, port 443 and trusted_ca!
+
+
 
 Next step was to make the ESUP Horde CAS authentication driver work on our webmail servers using Horde 3.1.1 and IMP 4.1.2. 
 
-For now I'l just copy/paste Velpi's notes:
+For now I'l just copy/paste Velpi's *notes*:
 <code>
 HOWTO CASify HORDE3 AND IMP4 [Velpi;20051201, Kaos99; 20060620, ...]
 ############################
 
@@ -70,9 +71,9 @@
 If you see an error in CAS logs about a missing PGTIou then you did this wrong in this step.
 
 2) install phpCAS library in horde
 NOTE:
-* phpCAS uses domxml for php4.3, php5 means phpCAS has be patched (should be easy though)
+* phpCAS uses domxml for php4.3, php5 means phpCAS will use a conversion class automatically BUT the CAS driver for Horde has be patched: just commenting the check for domxml does the trick ;)
 It is easier to copy the CAS files from the esup-horde package. It contains some horde-specific glue code that you will need in the next step (http://www.esup-portail.org/consortium/espace/download/horde/).
 [change the path to your horde/php lib dir accordingly]
 mkdir $HORDE_DIR/lib/CAS/ 
 -when using the esup-horde package: cp -r source/phpCAS/* $HORDE_DIR/lib/CAS/
@@ -323,9 +324,9 @@
 
 ---------------------------------------
 Please note that CAS will request a PT for the service that it is trying to connect to.
 This means that the IMAP server that checks the PT needs to do that with the same service name as the ticket was requested for!
-(when using an IMAPPROXY, which you should, the service name will be "imap://localhost")
+(when using an IMAPPROXY -which you should- the service name will be "imap://127.0.0.1" or "imap://localhost")
 
 
 --INSTALL COMPLETED--
 
@@ -335,4 +336,8 @@
 * at horde server: logfile of CAS that you specified (needs to be writable by user that runs PHP/horde), possibly apache on SSL errors
 * you might want to check imapproxy logs (also see "pimpstat")
 * at IMAP: /var/log/auth.log and /var/log/syslog
 </code>
+
+
+note:
+we also try to keep some files and documentation about this available at http://shib.kuleuven.be/docs/horde3-cas/
