[cvs] [Wiki] changed: CASAuthHowTo
Chuck Hagenbuch
chuck at horde.org
Tue May 20 16:47:58 UTC 2008
chuck Tue, 20 May 2008 12:47:57 -0400
Modified page: http://wiki.horde.org/CASAuthHowTo
New Revision: 2.14
Change log: isolate code tags
@@ -11,14 +11,16 @@
We chose to use CAS (http://www.ja-sig.org/products/cas/index.html) as an
authentication mechanism on top of Shibboleth. Because both Shibboleth and
CAS do the initial authentication at the CAS server, users will see it as
one integrated SSO system. Specific information about our implementation of
CAS and Horde can be found at http://shib.kuleuven.be/docs/horde3-cas/
First we used the ESUP pam module (referenced
[http://www.ja-sig.org/wiki/display/CAS/PAM+Module here]) to let our
mailservers use the CAS server as a possible authentication service. Here's
how the cas lines in our mailserver pam-config looks like:
{{/etc/pam.conf:}}
+
<code>
imap auth sufficient /usr/lib/security/pam_cas.so
-simap://127.0.0.1 -f/etc/pam_cas.conf
imap auth sufficient /usr/lib/security/pam_ldap.so
try_first_pass
</code>
{{/etc/pam_cas.conf:}}
+
<code>
host cas.example.com
port 80
uriValidate /cas/proxyValidate
@@ -26,16 +28,18 @@
debug off
proxy https://webmail.example.com/hordecas/casProxy.php
trusted_ca /etc/pki/example.com.chain
</code>
+
note that this configuration means we're validating the PT to our CAS
server at port 80 (regular http), which isn't the best thing to do
considering security, but it saves quite some CPU cycles.
If you're not sure about the network between your IMAP and CAS server then
certainly use SSL, port 443 and trusted_ca!
Next step was to make the ESUP Horde CAS authentication driver work on our
webmail servers using Horde 3.1.1 and IMP 4.1.2.
For now I'll just copy/paste Velpi's *notes*:
+
<code>
HOWTO CASify HORDE3 AND IMP4 [Velpi;20051201, Kaos99; 20060620, ...]
############################
More information about the cvs
mailing list