[horde] Horde Imp CAS Authentication

Laura McCord mccordl at southwestern.edu
Fri Nov 11 21:02:47 UTC 2011


I think I am getting really close to completion. After installing the 
pam_cas and trying to configure it, I can't determine if in fact it's 
being used. I feel like  ldap is being used first instead of trying cas. 
I created the file /etc/pam.d/imap with the following info based on 
documentation that I found:

imap auth sufficient /lib/security/pam_cas.so -simap://my.imap.server 
-f/etc/pam_cas.conf
imap auth sufficient /lib/security/pam_ldap.so try_first_pass

Then my pam_cas.conf looks like this:

host my.cas.server
port 443
uriValidate /cas/proxyValidate
ssl on
debug on
proxy https://my.webmail.server/webmail/casProxy.php
trusted_ca /etc/ssl/servercerts/servercert.pem

Is there something that I need to do on the imap server to make sure 
that the /etc/pam.d/imap file is being utilized since I manually created 
it?


Here's the log output I'm getting from imap:
Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
Nov 11 14:52:22 imapserver authdaemond: received auth request, 
service=imap, authtype=login
Nov 11 14:52:22 imapserver authdaemond: authldap: trying this module
Nov 11 14:52:22 imapserver authdaemond: using search filter: 
(mail=mccordl at southwestern.edu)
Nov 11 14:52:22 imapserver authdaemond: one entry returned, DN: 
uid=mccordl,ou=person,dc=stuff,dc=stuff
Nov 11 14:52:22 imapserver authdaemond: authldaplib: sysusername=<null>, 
sysuserid=8731, sysgroupid=200, homedir=/home/mccordl, address=mccordl, 
fullname=Laura McCord, maildir=<null>, quota=<null>, options=<null>
Nov 11 14:52:22 imapserver authdaemond: rebinding with DN 
'uid=mccordl,ou=person,dc=stuff,dc=stuff' to validate password
Nov 11 14:52:25 imapserver authdaemond: authentication bind failed, 
invalid credentials
Nov 11 14:52:25 imapserver authdaemond: authldap: REJECT - try next module
Nov 11 14:52:25 imapserver authdaemond: FAIL, all modules rejected
Nov 11 14:52:25 imapserver imapd: LOGIN FAILED, user=mccordl, ip=[]


Many Thanks,
  Laura







On 11/3/11 10:22 AM, LALOT Dominique wrote:
> 2011/11/3 Laura McCord <mccordl at southwestern.edu 
> <mailto:mccordl at southwestern.edu>>
>
>     Dom,
>
>     Is that what imapproxy is used for? Or, is that something different?
>
>
> No, once you give your password to the real imap server, the server 
> should keep an association between login and password and even 
> passwords as you can log in via CAS, or directly (thunderbird, outlook).
> install saslauthd if you use cyrus imap or pam ccred. saslauthd is a 
> little bit buggy about managing its cache.
> You can find a patch for it here:
>
> http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd
>
> Dom
>
>     Laura
>
>
>
>     On 11/3/11 10:06 AM, LALOT Dominique wrote:
>>
>>
>>     2011/11/3 Laura McCord <mccordl at southwestern.edu
>>     <mailto:mccordl at southwestern.edu>>
>>
>>         Xavier,
>>
>>         Thanks for the reply. I set the parameter to be blank and I
>>         bypassed the error message. I haven't configured our imap
>>         mail server yet. I was planning on installing the pam_cas
>>         module. Right now, I am figuring the reason why I am getting
>>         the too many redirects error is because it's trying to get a
>>         response from the imap server but since I don't have the
>>         pam_cas module installed it keeps trying to validate but it's
>>         getting no response. Hopefully I can get that module
>>         installed soon.
>>
>>         Thanks,
>>          Laura
>>
>>
>>     Don't forget then to cache the credential on the imap server if
>>     you don't want to ask for a proxy ticket each time you click on a
>>     mail.
>>     Dom
>>
>>
>>
>>         On 11/2/11 12:37 PM, Xavier Montagutelli wrote:
>>
>>             Hi Laura,
>>
>>             On Thursday 27 October 2011 19:54:07 Laura McCord wrote:
>>
>>                 Xavier,
>>
>>                 I have a question about the conf.php file. I am stuck
>>                 on the SSL CA
>>                 Cert. Do I put the path of my horde server .crt file
>>                 or do I put in the
>>                 path to my CAS server certificates?  And if it's the
>>                 cas server does
>>                 that mean the path to cacerts?
>>
>>                 I received the following error:
>>
>>                 "could not open URL .... (CURL error #77: Problem
>>                 with the SSL CA cert
>>                 (path? access rights?)) [Client.php:2595]"
>>
>>             (I was on vacation the past days)
>>
>>             $conf['auth']['params']['cas_cacert'] indicates the path,
>>             local to your horde
>>             server, to a file containing the certificate of the CA
>>             having issued the
>>             certificate of the CAS server. Or the certificate of the
>>             root authority if
>>             intermediate CA are in the chain.
>>
>>             i.e. if the certificate of your CAS server is ultimately
>>             signed by "GTE
>>             CyberTrust Global root", you should be able to indicate
>>             "/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem" if you
>>             are under Debian.
>>
>>             This parameter is directly passed to the phpCAS library
>>             (phpCAS::setCasServerCACert). I suppose the file can be a
>>             bundle of known
>>             certificates.
>>
>>             In practice, you can also try to put the complete chain
>>             (AC 1 ->  AC 2 ->  root
>>             AC) in the file, if intermediate authorities are involved.
>>
>>             If you have problems with it, in a step by step approach,
>>             you can also leave
>>             it blank : no verification of the CAS server certificate
>>             will be made.
>>
>>             HTH,
>>
>>
>>                 Thanks,
>>                   Laura
>>
>>                 On 10/26/11 6:50 AM, Xavier Montagutelli wrote:
>>
>>                     On Tuesday 25 October 2011 12:03:58 Maciej Uhlig
>>                     wrote:
>>
>>                         W dniu 2011-10-25 10:48, Jan Schneider pisze:
>>
>>                             Zitat von Laura
>>                             McCord<mccordl at southwestern.edu
>>                             <mailto:mccordl at southwestern.edu>>:
>>
>>                                 Hi,
>>
>>                                 I am trying to perform Horde WebMail
>>                                 authentication using CAS. I was
>>                                 wondering if this documentation is
>>                                 still relevant  that is found here
>>                                 (Horde 3):
>>                                 http://wiki.horde.org/CASAuthHowTo
>>                                 http://www.esup-portail.org/display/PROJHORDE/Installation+de+Horde-we
>>                                 bm ail
>>
>>                             Not for Horde 4.
>>
>>                         As far as I can see the second link above
>>                         points to installation with
>>                         Horde 4 information too.
>>
>>                         MU
>>
>>                     We have developed a new driver to authenticate
>>                     users against a CAS
>>                     server. The driver is still in a "rough" shape,
>>                     but it is useable. I am
>>                     afraid I can't afford spending more time on this
>>                     project right now, I
>>                     hope it will be enough for you.
>>
>>                     The documentation is in english if you retrieve
>>                     the whole SVN project
>>                     http://subversion.cru.fr/esup-horde/trunk
>>
>>                     Feel free to post on this list or directly to me
>>                     if you need help.
>>
>>                     HTH,
>>
>>
>>
>>         -- 
>>         Horde mailing list
>>         Frequently Asked Questions: http://horde.org/faq/
>>         To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>         <mailto:horde-unsubscribe at lists.horde.org>
>>
>>
>>
>>
>>     -- 
>>     Dominique LALOT
>>     Ingénieur Systèmes et Réseaux
>>     http://annuaire.univmed.fr/showuser.php?uid=lalot
>
>
>
>
> -- 
> Dominique LALOT
> Ingénieur Systèmes et Réseaux
> http://annuaire.univmed.fr/showuser.php?uid=lalot



More information about the horde mailing list