[cvs] [Wiki] changed: CASAuthHowTo

Thu Oct 9 12:41:22 UTC 2008

guest [193.190.224.1]  Thu, 09 Oct 2008 08:41:22 -0400

Modified page: http://wiki.horde.org/CASAuthHowTo
New Revision:  2.18
Change log:  fixed layout

@@ -49,9 +49,8 @@
  Next step was to make the ESUP Horde CAS authentication driver work  
on our webmail servers using Horde 3.1.1 and IMP 4.1.2.

  For now I'll just copy/paste Velpi's *notes*:

-<code>
  HOWTO CASify HORDE3 AND IMP4 [Velpi;20051201, Kaos99; 20060620, ...]
  ############################

  Tested succesfully using standard Debian packages [20051206]
@@ -76,8 +75,9 @@

  Check your current system so everything works at this point (DO IT!)
  Now we can start patching it to use CAS
  (if you didn't check your "normal" system at this point you will  
most likely curse if you need to debug, you have been warned...)
+


  1) configure Apache
  Apache HAS to be configured to use SSL for horde when using CAS. CAS  
relies on SSL to make sure it's talking to right server, that and  
encryption of course.
@@ -141,8 +141,9 @@
  notes:
  * hordeauth=true => horde "pass" will be a PT that phpCAS has  
already requested
  * imapproxy HAS to be used, else IMP will need to detect that this  
PT is invalid for login and request a new one FOR EACH REQUEST!  
[imapproxy solves this problem smoothly, don't hesitate to use it;  
SASLauthd should solve this too if you are using a cyrus IMAP backend  
or so]

+<code>
  diff -ru1b /usr/src/imp-h3-4.1.2/lib/Auth/imp.php imp/lib/Auth/imp.php
  --- /usr/src/imp-h3-4.1.2/lib/Auth/imp.php      2006-04-10  
07:03:44.000000000 +0200
  +++ imp/lib/Auth/imp.php        2006-05-05 11:41:27.000000000 +0200
  @@ -268,2 +268,11 @@
@@ -265,15 +266,16 @@
                       $charset = NLS::getCharset();
                        
$_SESSION['imp']['imap_server']['search_charset'] = array($charset =>  
$imapclient->searchCharset($charset));
  +                    $imapclient->logout();
  +*/
-
+</code>

  6) configure horde to use CAS
  note: don't forget to tell IMP to try hordeauth (imp/config/servers.php)
  you might want to use the built-in administration tools, but real  
men do it with vi ;)
  enabling CAS is easy now, just tell horde to use it:
  --------horde/config/conf.php---------- [part of! replace the auth  
thingies with something like this]
+<code>
  //make sure horde won't put the CAS login screen in a frame, this  
will seriously mess up the browser window :(
  $conf['menu']['always'] = false

  //please make me admin
@@ -306,15 +308,14 @@
  $conf['auth']['driver'] = 'cas';

  ...
  $conf['log']['name'] = '/tmp/hordeaai.log';
+</code>
  ---------------------------------------
  Please note that CAS will request a PT for the service that it is  
trying to connect to.
  This means that the IMAP server that checks the PT needs to do that  
with the same service name as the ticket was requested for!
  (when using an IMAPPROXY -which you should- the service name will be  
"imap://127.0.0.1" or "imap://localhost")

-</code>
-<code>


  7) patch horde configuration interface
  notes:
@@ -322,8 +323,9 @@
  * CAS does no authorisation, everybody that can login to CAS, can  
enter horde (if no extra measures are taken, see next topic)

  enable configuration settings for horde auth:
  ---------horde/config/conf.xml---------
+<code>
  @@ -132,6 +132,19 @@
        </configdescription>
       </case>
  +    <case name="cas" desc="CAS authentication">
@@ -341,8 +343,9 @@
  +
       <case name="ftp" desc="FTP authentication">
         <configsection name="params">
            <configstring name="hostspec" desc="The hostname or IP  
address of the FTP
+</code>
  ---------------------------------------



@@ -350,8 +353,9 @@
  note: this has nothing to do with AUTHENTICATION! Meaning you don't  
need this to get CAS working.
  note: this is a configurable option (horde config.php:  
$conf['auth']['params']['authorisation'])
  don't forget to configure this correctly if you want to use it (eg  
LDAP settings)
  ---------horde/config/hooks.php---------
+<code>
  if (!function_exists('_cas_hook_authorisation')) {
  	function _cas_hook_authorisation($username = null)
  	{
  		if(empty($username)) {
@@ -378,33 +382,34 @@
  		if(!is_array($information) || $information['count']!=1)	return(false);
  	 return(true);
  	 }
  }
+</code>
  ---------------------------------------
-


  [optional steps]

  *) redirect on logout (highly recommended)
  Logging out is a little less easy when using a WebISO since it will  
automatically re-login when there is still a session with the central  
server.
  A simple workaround is to make the redirect on logout link to a  
location that doesn't need authentication.
  ----horde/config/conf.php----
+<code>
  ...
  $conf['auth']['redirect_on_logout'] = 'http://cas.example.be/cas/logout';
  // or $conf['auth']['redirect_on_logout'] =  
'https://idp.example.be/shibboleth-idp/logout.jsp?return=http://webmail.example.be';
  ...
+</code>
  ---------------------------------------

  *) adjust the standard login page (recommended)
  You might want to adjust this page so it doesn't show a login box  
when using CAS.
  ----horde/config/conf.php----
+<code>
  //redirect back to IMP to make sure there's no frame-in-frame when  
sth goes wrong
  $conf['auth']['alternate_login'] =  
'https://cas.example.be/cas/login?service=https://'.$_SERVER['SERVER_NAME'].'/horde/imp';
+</code>
  ---------------------------------------
-
-
-

  --INSTALL COMPLETED--


