[cvs] [Wiki] changed: CASAuthHowTo

Chuck Hagenbuch chuck at horde.org
Tue May 20 16:47:58 UTC 2008


chuck  Tue, 20 May 2008 12:47:57 -0400

Modified page: http://wiki.horde.org/CASAuthHowTo
New Revision:  2.14
Change log:  isolate code tags

@@ -11,14 +11,16 @@
 We chose to use CAS (http://www.ja-sig.org/products/cas/index.html) as an
authentication mechanism on top of Shibboleth. Because both Shibboleth and
CAS do the initial authentication at the CAS server, users will see it as
one integrated SSO system. Specific information about our implementation of
CAS and Horde can be found at http://shib.kuleuven.be/docs/horde3-cas/

 First we used the ESUP pam module (referenced
[http://www.ja-sig.org/wiki/display/CAS/PAM+Module here]) to let our
mailservers use the CAS server as a possible authentication service. Here's
how the cas lines in our mailserver pam-config looks like:
 {{/etc/pam.conf:}}
+
 <code>
  imap    auth    sufficient      /usr/lib/security/pam_cas.so
-simap://127.0.0.1 -f/etc/pam_cas.conf
  imap    auth    sufficient      /usr/lib/security/pam_ldap.so
try_first_pass
 </code>

 {{/etc/pam_cas.conf:}}
+
 <code>
  host cas.example.com
  port 80
  uriValidate /cas/proxyValidate
@@ -26,16 +28,18 @@
  debug off
  proxy https://webmail.example.com/hordecas/casProxy.php
  trusted_ca /etc/pki/example.com.chain
 </code>
+
 note that this configuration means we're validating the PT to our CAS
server at port 80 (regular http), which isn't the best thing to do
considering security, but it saves quite some CPU cycles.
 If you're not sure about the network between your IMAP and CAS server then
certainly use SSL, port 443 and trusted_ca!



 Next step was to make the ESUP Horde CAS authentication driver work on our
webmail servers using Horde 3.1.1 and IMP 4.1.2.

 For now I'll just copy/paste Velpi's *notes*:
+
 <code>
 HOWTO CASify HORDE3 AND IMP4 [Velpi;20051201, Kaos99; 20060620, ...]
 ############################


More information about the cvs mailing list