[cvs] [Wiki] changed: CASAuthHowTo
Wiki Guest
wikiguest at horde.org
Wed Jun 21 03:13:35 PDT 2006
guest [134.58.253.114] Wed, 21 Jun 2006 03:13:33 -0700
Modified page: http://wiki.horde.org/CASAuthHowTo
New Revision: 1.3
Change log: added optional steps
@@ -66,8 +66,9 @@
SSLCACertificateFile /etc/pki/ca_cert.pem
#----added
---------------------------------
If you see an error in CAS logs about a missing PGTIou then you did this wrong in this step.
+
2) install phpCAS library in horde
NOTE:
* phpCAS uses domxml for php4.3, php5 means phpCAS will use a conversion class automatically BUT the CAS driver for Horde has be patched: just commenting the check for domxml does the trick ;)
@@ -76,85 +77,36 @@
mkdir $HORDE_DIR/lib/CAS/
-when using the esup-horde package: cp -r source/phpCAS/* $HORDE_DIR/lib/CAS/
-when using a separate phpCAS (http://esup-phpcas.sourceforge.net/): cp -r source/CAS/* $HORDE_DIR/lib/CAS/
-3) install horde glue-code for phpCAS
+
+3) install horde driver and proxyticketReceptor script for phpCAS
If you do not have it yet, the code can be found in the esup-horde-cas package. It is easier to extract that package and copy it from there.
[the CAS auth driver for horde]
cp $CAS_DIR/cas.php $HORDE_DIR/lib/Horde/Auth/
-[the callback url for the PGT]
+[the callback url for the PGT=proxyticketReceptor]
cp $CAS_DIR/casProxy.php $HORDE_DIR/
-IMPORTANT NOTE:
-If you installed the latest phpCAS library (0.4.20+) and you are using the gluecode from the ESUP package, then you need to edit the cas.php:
+//--
+IMPORTANT NOTES:
+
+If you use the latest phpCAS library (0.4.20+) and you are using the gluecode from the ESUP package, then you need to edit the cas.php:
every call to isAuthenticated() needs to be replaced by a call to checkAuthentication()
-4) patch horde
-notes:
-* horde uid (login name) will be the CAS netId when authenticated
-* CAS does no authorisation, everybody that can login to CAS, can enter horde (if no extra measures are taken, see next topic)
+on PHP5: comment the DOM checking in cas.php
-enable configuration settings for horde auth:
----------horde/config/conf.xml---------
-@@ -132,6 +132,19 @@
- </configdescription>
- </case>
-+ <case name="cas" desc="CAS authentication">
-+ <configsection name="params">
-+ <configstring name="hostspec" desc="The hostname of the CAS server">cas.kuleuven.be</configstring>
-+ <configinteger name="hostport" desc="The HTTPS Port of the CAS server">443</configinteger>
-+ <configstring name="hostpath" desc="The root web path of the CAS server" required="false">cas</configstring>
-+ <configstring name="proxyback" desc="The proxy URL of horde">https://webmail.kuleuven.be/horde3/casProxy.php</configstring>
-+ <configstring name="tmpdir" desc="Temporary">/tmp</configstring>
-+ <configboolean name="authorisation" desc="Use hook for authorisation (function _cas_hook_authorisation)">false</configboolean>
-+ <configboolean name="debug" desc="Debugging">false</configboolean>
-+ <configstring name="debug_file" desc="Debugging file">/tmp/phpCAS.log</configstring>
-+ </configsection>
-+ </case>
-+
- <case name="ftp" desc="FTP authentication">
- <configsection name="params">
- <configstring name="hostspec" desc="The hostname or IP address of the FTP
----------------------------------------
+on CAS3: change regex matches for "PT" (also) to "ST"
+CAS2: ST, PGT, PT
+CAS3: ST, TGT (PT's are now regular STs and PGTs are now TGTs)
+//--
+4) set IMP to use horde credentials
+/imp/config/server.php
+hordeauth => true
-5) patch horde's hooks if you want authorisation (=check user with another backend)
-note: this has nothing to do with AUTHENTICATION! Meaning you don't need this to get CAS working.
-note: this is a configurable option (in horde config)
-don't forget to configure this correctly if you want to use it (eg LDAP settings)
----------horde/config/hooks.php---------
-if (!function_exists('_cas_hook_authorisation')) {
- function _cas_hook_authorisation($username = null)
- {
- if(empty($username)) {
- return(false);
- }
- $ldapServer = '__LDAP_HOST__';
- $ldapPort = '__LDAP_PORT__';
- $searchBase = '__LDAP_BASEDN__';
- $filter = "(&(uid=%s)(objectclass=eduPerson)(mail=*))";
- if(! $ds = @ldap_connect($ldapServer, $ldapPort)){
- return(false);
- }
-
- $filter = sprintf($filter,$username );
-
- $searchResult = ldap_search($ds, $searchBase, $filter,array('uid'));
-
- $information = @ldap_get_entries($ds, $searchResult);
- @ldap_free_result($searchResult);
- @ldap_close($ds);
-
- if(!is_array($information) || $information['count']!=1) return(false);
- return(true);
- }
-}
----------------------------------------
-
-6) patch IMP
-IMP has to request a new PT if necessary (PT are only valid for ONE login at the IMAP)
+5) patch IMP: IMP has to request a new PT if necessary (PT are only valid for ONE login at the IMAP)
notes:
* hordeauth=true => horde "pass" will be a PT that phpCAS has already requested
* imapproxy HAS to be used, else IMP will need to detect that this PT is invalid for login and request a new one FOR EACH REQUEST! [imapproxy solves this problem smoothly, don't hesitate to use it; SASLauthd should solve this too if you are using a cyrus IMAP backend or so]
@@ -283,48 +235,139 @@
+ $imapclient->logout();
+*/
-7) configure horde to use CAS
+6) configure horde to use CAS
note: don't forget to tell IMP to try hordeauth (imp/config/servers.php)
you might want to use the built-in administration tools, but real men do it with vi ;)
enabling CAS is easy now, just tell horde to use it:
--------horde/config/conf.php---------- [part of! replace the auth thingies with something like this]
-
-//make sure horde won't put the CAS login screen in a frame, this will seriously scramble the browser window :(
+//make sure horde won't put the CAS login screen in a frame, this will seriously mess up the browser window :(
$conf['menu']['always'] = false
-//yup, we're using cas now
-$conf['auth']['driver'] = 'cas';
//please make me admin
-$conf['auth']['admins'] = array('Administrator','velpi');
-$conf['auth']['checkip'] = true;
-$conf['auth']['checkbrowser'] = true;
-$conf['auth']['alternate_login'] = false;
+$conf['auth']['admins'] = array('u0049919');
+...
+//checkip is nice, but not when you're using NAT so turn it off :s
+$conf['auth']['checkip'] = false;
+...
//host name of your CAS server
-$conf['auth']['params']['hostspec'] = 'cas.example.com';
+$conf['auth']['params']['hostspec'] = 'myCASserver';
//most likely 443
$conf['auth']['params']['hostport'] = 443;
//the part that comes after the hostname eg 'cas' in https://myCASserver/cas
$conf['auth']['params']['hostpath'] = 'cas';
//the script that will receive PT's (part of phpCAS)
-$conf['auth']['params']['proxyback'] = 'https://webmailtest.example.com/hordecas/casProxy.php';
+$conf['auth']['params']['proxyback'] = 'https://thisHORDEserver/horde/casProxy.php';
//PT's can be saved in a database too if you like; but a writable dir is fine
//note: should be writable by user that runs PHP/horde
$conf['auth']['params']['tmpdir'] = '/tmp';
+
//hooks into horde's as an ACL check (eg to LDAP); see hooks.php
$conf['auth']['params']['authorisation'] = false;
+
//you will need to see some logs at first to check everything, fairly verbose though
$conf['auth']['params']['debug'] = true;
//note: should be writable by user that runs PHP/horde
-$conf['auth']['params']['debug_file'] = '/tmp/hordecas.log';
-//our cas server knows how to invalidate the PT (yes, that is a CAS logout)
-$conf['auth']['redirect_on_logout'] = 'https://cas.example.com/shibboleth-idp/logout.jsp?return=http://www.example.com/';
+$conf['auth']['params']['debug_file'] = '/tmp/hordeaai-cas.log';
+//yup, we're using cas now
+$conf['auth']['driver'] = 'cas';
+
+...
+$conf['log']['name'] = '/tmp/hordeaai.log';
---------------------------------------
Please note that CAS will request a PT for the service that it is trying to connect to.
This means that the IMAP server that checks the PT needs to do that with the same service name as the ticket was requested for!
(when using an IMAPPROXY -which you should- the service name will be "imap://127.0.0.1" or "imap://localhost")
+
+
+7) patch horde configuration interface
+notes:
+* horde uid (login name) will be the CAS netId when authenticated
+* CAS does no authorisation, everybody that can login to CAS, can enter horde (if no extra measures are taken, see next topic)
+
+enable configuration settings for horde auth:
+---------horde/config/conf.xml---------
+@@ -132,6 +132,19 @@
+ </configdescription>
+ </case>
++ <case name="cas" desc="CAS authentication">
++ <configsection name="params">
++ <configstring name="hostspec" desc="The hostname of the CAS server">cas.kuleuven.be</configstring>
++ <configinteger name="hostport" desc="The HTTPS Port of the CAS server">443</configinteger>
++ <configstring name="hostpath" desc="The root web path of the CAS server" required="false">cas</configstring>
++ <configstring name="proxyback" desc="The proxy URL of horde">https://webmail.kuleuven.be/horde3/casProxy.php</configstring>
++ <configstring name="tmpdir" desc="Temporary">/tmp</configstring>
++ <configboolean name="authorisation" desc="Use hook for authorisation (function _cas_hook_authorisation)">false</configboolean>
++ <configboolean name="debug" desc="Debugging">false</configboolean>
++ <configstring name="debug_file" desc="Debugging file">/tmp/phpCAS.log</configstring>
++ </configsection>
++ </case>
++
+ <case name="ftp" desc="FTP authentication">
+ <configsection name="params">
+ <configstring name="hostspec" desc="The hostname or IP address of the FTP
+---------------------------------------
+
+
+
+8) patch horde's hooks if you want authorisation (=check user with another backend)
+note: this has nothing to do with AUTHENTICATION! Meaning you don't need this to get CAS working.
+note: this is a configurable option (in horde config)
+don't forget to configure this correctly if you want to use it (eg LDAP settings)
+---------horde/config/hooks.php---------
+if (!function_exists('_cas_hook_authorisation')) {
+ function _cas_hook_authorisation($username = null)
+ {
+ if(empty($username)) {
+ return(false);
+ }
+
+ $ldapServer = '__LDAP_HOST__';
+ $ldapPort = '__LDAP_PORT__';
+ $searchBase = '__LDAP_BASEDN__';
+ $filter = "(&(uid=%s)(objectclass=eduPerson)(mail=*))";
+
+ if(! $ds = @ldap_connect($ldapServer, $ldapPort)){
+ return(false);
+ }
+
+ $filter = sprintf($filter,$username );
+
+ $searchResult = ldap_search($ds, $searchBase, $filter,array('uid'));
+
+ $information = @ldap_get_entries($ds, $searchResult);
+ @ldap_free_result($searchResult);
+ @ldap_close($ds);
+
+ if(!is_array($information) || $information['count']!=1) return(false);
+ return(true);
+ }
+}
+---------------------------------------
+
+
+
+[optional steps]
+
+*) redirect on logout (highly recommended)
+Logging out is a little less easy when using a WebISO since it will automatically re-login when there is still a session with the central server.
+A simple workaround is to make the redirect on logout link to a location that doesn't need authentication.
+----horde/config/conf.php----
+...
+$conf['auth']['redirect_on_logout'] = 'http://cas.example.be/cas/logout';
+// or $conf['auth']['redirect_on_logout'] = 'https://idp.example.be/shibboleth-idp/logout.jsp?return=http://webmail.example.be';
+...
+---------------------------------------
+
+*) adjust the standard login page (recommended)
+You might want to adjust this page so it doesn't show a login box when using CAS.
+----horde/config/conf.php----
+$conf['auth']['alternate_login'] = 'http://cas.example.be/cas/login?service=https://'.$_SERVER['SERVER_NAME'].'/hordeaai';
+---------------------------------------
+
+
--INSTALL COMPLETED--
More information about the cvs
mailing list