[cvs] [Wiki] changed: CASAuthHowTo
Wiki Guest
wikiguest at horde.org
Thu Oct 9 12:41:22 UTC 2008
guest [193.190.224.1] Thu, 09 Oct 2008 08:41:22 -0400
Modified page: http://wiki.horde.org/CASAuthHowTo
New Revision: 2.18
Change log: fixed layout
@@ -49,9 +49,8 @@
Next step was to make the ESUP Horde CAS authentication driver work
on our webmail servers using Horde 3.1.1 and IMP 4.1.2.
For now I'll just copy/paste Velpi's *notes*:
-<code>
HOWTO CASify HORDE3 AND IMP4 [Velpi;20051201, Kaos99; 20060620, ...]
############################
Tested succesfully using standard Debian packages [20051206]
@@ -76,8 +75,9 @@
Check your current system so everything works at this point (DO IT!)
Now we can start patching it to use CAS
(if you didn't check your "normal" system at this point you will
most likely curse if you need to debug, you have been warned...)
+
1) configure Apache
Apache HAS to be configured to use SSL for horde when using CAS. CAS
relies on SSL to make sure it's talking to right server, that and
encryption of course.
@@ -141,8 +141,9 @@
notes:
* hordeauth=true => horde "pass" will be a PT that phpCAS has
already requested
* imapproxy HAS to be used, else IMP will need to detect that this
PT is invalid for login and request a new one FOR EACH REQUEST!
[imapproxy solves this problem smoothly, don't hesitate to use it;
SASLauthd should solve this too if you are using a cyrus IMAP backend
or so]
+<code>
diff -ru1b /usr/src/imp-h3-4.1.2/lib/Auth/imp.php imp/lib/Auth/imp.php
--- /usr/src/imp-h3-4.1.2/lib/Auth/imp.php 2006-04-10
07:03:44.000000000 +0200
+++ imp/lib/Auth/imp.php 2006-05-05 11:41:27.000000000 +0200
@@ -268,2 +268,11 @@
@@ -265,15 +266,16 @@
$charset = NLS::getCharset();
$_SESSION['imp']['imap_server']['search_charset'] = array($charset =>
$imapclient->searchCharset($charset));
+ $imapclient->logout();
+*/
-
+</code>
6) configure horde to use CAS
note: don't forget to tell IMP to try hordeauth (imp/config/servers.php)
you might want to use the built-in administration tools, but real
men do it with vi ;)
enabling CAS is easy now, just tell horde to use it:
--------horde/config/conf.php---------- [part of! replace the auth
thingies with something like this]
+<code>
//make sure horde won't put the CAS login screen in a frame, this
will seriously mess up the browser window :(
$conf['menu']['always'] = false
//please make me admin
@@ -306,15 +308,14 @@
$conf['auth']['driver'] = 'cas';
...
$conf['log']['name'] = '/tmp/hordeaai.log';
+</code>
---------------------------------------
Please note that CAS will request a PT for the service that it is
trying to connect to.
This means that the IMAP server that checks the PT needs to do that
with the same service name as the ticket was requested for!
(when using an IMAPPROXY -which you should- the service name will be
"imap://127.0.0.1" or "imap://localhost")
-</code>
-<code>
7) patch horde configuration interface
notes:
@@ -322,8 +323,9 @@
* CAS does no authorisation, everybody that can login to CAS, can
enter horde (if no extra measures are taken, see next topic)
enable configuration settings for horde auth:
---------horde/config/conf.xml---------
+<code>
@@ -132,6 +132,19 @@
</configdescription>
</case>
+ <case name="cas" desc="CAS authentication">
@@ -341,8 +343,9 @@
+
<case name="ftp" desc="FTP authentication">
<configsection name="params">
<configstring name="hostspec" desc="The hostname or IP
address of the FTP
+</code>
---------------------------------------
@@ -350,8 +353,9 @@
note: this has nothing to do with AUTHENTICATION! Meaning you don't
need this to get CAS working.
note: this is a configurable option (horde config.php:
$conf['auth']['params']['authorisation'])
don't forget to configure this correctly if you want to use it (eg
LDAP settings)
---------horde/config/hooks.php---------
+<code>
if (!function_exists('_cas_hook_authorisation')) {
function _cas_hook_authorisation($username = null)
{
if(empty($username)) {
@@ -378,33 +382,34 @@
if(!is_array($information) || $information['count']!=1) return(false);
return(true);
}
}
+</code>
---------------------------------------
-
[optional steps]
*) redirect on logout (highly recommended)
Logging out is a little less easy when using a WebISO since it will
automatically re-login when there is still a session with the central
server.
A simple workaround is to make the redirect on logout link to a
location that doesn't need authentication.
----horde/config/conf.php----
+<code>
...
$conf['auth']['redirect_on_logout'] = 'http://cas.example.be/cas/logout';
// or $conf['auth']['redirect_on_logout'] =
'https://idp.example.be/shibboleth-idp/logout.jsp?return=http://webmail.example.be';
...
+</code>
---------------------------------------
*) adjust the standard login page (recommended)
You might want to adjust this page so it doesn't show a login box
when using CAS.
----horde/config/conf.php----
+<code>
//redirect back to IMP to make sure there's no frame-in-frame when
sth goes wrong
$conf['auth']['alternate_login'] =
'https://cas.example.be/cas/login?service=https://'.$_SERVER['SERVER_NAME'].'/horde/imp';
+</code>
---------------------------------------
-
-
-
--INSTALL COMPLETED--
More information about the cvs
mailing list