[cvs] [Wiki] changed: CASAuthHowTo

[Wiki Guest]

guest [134.58.253.113]  Wed, 27 Sep 2006 04:08:09 -0700

Modified page: http://wiki.horde.org/CASAuthHowTo
New Revision:  2.6
Change log:  added link to K.U.Leuven docs

@@ -7,9 +7,9 @@
  [http://www.kuleuven.be/ Our university] is working towards a complete AAI (Authentication and Authorization Infrastructure) implementation. For web applications we are using the [http://shibboleth.internet2.edu/ Shibboleth architecture]. But as you can read in [ShibbolethAuthHowTo the Shibboleth Authentication HowTo],  a big problem with AAI and webapplications is authentication on the backend (with Horde/IMP that would be the mailservers). What we needed was a way to prevent the password passing the webmail servers AND the mailservers.
  
  Meet CAS: "Central Authentication System". It was originally developed by Yale and then adpoted by the JA-SIG group. The ESUP consortium is also actively developing in the CAS area.
  
-We chose to use CAS (http://www.ja-sig.org/products/cas/index.html) as an authentication mechanism on top of Shibboleth. Because both Shibboleth and CAS do the initial authentication at the CAS server, users will see it as one integrated SSO system.
+We chose to use CAS (http://www.ja-sig.org/products/cas/index.html) as an authentication mechanism on top of Shibboleth. Because both Shibboleth and CAS do the initial authentication at the CAS server, users will see it as one integrated SSO system. Specific information about our implementation of CAS and Horde can be found at http://shib.kuleuven.be/docs/horde3-cas/
  
  First we used the ESUP pam module (referenced [http://www.ja-sig.org/wiki/display/CAS/PAM+Module here]) to let our mailservers use the CAS server as a possible authentication service. Here's how the cas lines in our mailserver pam-config looks like:
  {{/etc/pam.conf:}}
  <code> imap    auth    sufficient      /usr/lib/security/pam_cas.so -simap://127.0.0.1 -f/etc/pam_cas.conf