[horde] Horde Imp CAS Authentication
Laura McCord
mccordl at southwestern.edu
Fri Nov 11 21:02:47 UTC 2011
I think I am getting really close to completion. After installing the
pam_cas and trying to configure it, I can't determine if in fact it's
being used. I feel like ldap is being used first instead of trying cas.
I created the file /etc/pam.d/imap with the following info based on
documentation that I found:
imap auth sufficient /lib/security/pam_cas.so -simap://my.imap.server
-f/etc/pam_cas.conf
imap auth sufficient /lib/security/pam_ldap.so try_first_pass
Then my pam_cas.conf looks like this:
host my.cas.server
port 443
uriValidate /cas/proxyValidate
ssl on
debug on
proxy https://my.webmail.server/webmail/casProxy.php
trusted_ca /etc/ssl/servercerts/servercert.pem
Is there something that I need to do on the imap server to make sure
that the /etc/pam.d/imap file is being utilized since I manually created
it?
Here's the log output I'm getting from imap:
Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
Nov 11 14:52:22 imapserver authdaemond: received auth request,
service=imap, authtype=login
Nov 11 14:52:22 imapserver authdaemond: authldap: trying this module
Nov 11 14:52:22 imapserver authdaemond: using search filter:
(mail=mccordl at southwestern.edu)
Nov 11 14:52:22 imapserver authdaemond: one entry returned, DN:
uid=mccordl,ou=person,dc=stuff,dc=stuff
Nov 11 14:52:22 imapserver authdaemond: authldaplib: sysusername=<null>,
sysuserid=8731, sysgroupid=200, homedir=/home/mccordl, address=mccordl,
fullname=Laura McCord, maildir=<null>, quota=<null>, options=<null>
Nov 11 14:52:22 imapserver authdaemond: rebinding with DN
'uid=mccordl,ou=person,dc=stuff,dc=stuff' to validate password
Nov 11 14:52:25 imapserver authdaemond: authentication bind failed,
invalid credentials
Nov 11 14:52:25 imapserver authdaemond: authldap: REJECT - try next module
Nov 11 14:52:25 imapserver authdaemond: FAIL, all modules rejected
Nov 11 14:52:25 imapserver imapd: LOGIN FAILED, user=mccordl, ip=[]
Many Thanks,
Laura
On 11/3/11 10:22 AM, LALOT Dominique wrote:
> 2011/11/3 Laura McCord <mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>>
>
> Dom,
>
> Is that what imapproxy is used for? Or, is that something different?
>
>
> No, once you give your password to the real imap server, the server
> should keep an association between login and password and even
> passwords as you can log in via CAS, or directly (thunderbird, outlook).
> install saslauthd if you use cyrus imap or pam ccred. saslauthd is a
> little bit buggy about managing its cache.
> You can find a patch for it here:
>
> http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd
>
> Dom
>
> Laura
>
>
>
> On 11/3/11 10:06 AM, LALOT Dominique wrote:
>>
>>
>> 2011/11/3 Laura McCord <mccordl at southwestern.edu
>> <mailto:mccordl at southwestern.edu>>
>>
>> Xavier,
>>
>> Thanks for the reply. I set the parameter to be blank and I
>> bypassed the error message. I haven't configured our imap
>> mail server yet. I was planning on installing the pam_cas
>> module. Right now, I am figuring the reason why I am getting
>> the too many redirects error is because it's trying to get a
>> response from the imap server but since I don't have the
>> pam_cas module installed it keeps trying to validate but it's
>> getting no response. Hopefully I can get that module
>> installed soon.
>>
>> Thanks,
>> Laura
>>
>>
>> Don't forget then to cache the credential on the imap server if
>> you don't want to ask for a proxy ticket each time you click on a
>> mail.
>> Dom
>>
>>
>>
>> On 11/2/11 12:37 PM, Xavier Montagutelli wrote:
>>
>> Hi Laura,
>>
>> On Thursday 27 October 2011 19:54:07 Laura McCord wrote:
>>
>> Xavier,
>>
>> I have a question about the conf.php file. I am stuck
>> on the SSL CA
>> Cert. Do I put the path of my horde server .crt file
>> or do I put in the
>> path to my CAS server certificates? And if it's the
>> cas server does
>> that mean the path to cacerts?
>>
>> I received the following error:
>>
>> "could not open URL .... (CURL error #77: Problem
>> with the SSL CA cert
>> (path? access rights?)) [Client.php:2595]"
>>
>> (I was on vacation the past days)
>>
>> $conf['auth']['params']['cas_cacert'] indicates the path,
>> local to your horde
>> server, to a file containing the certificate of the CA
>> having issued the
>> certificate of the CAS server. Or the certificate of the
>> root authority if
>> intermediate CA are in the chain.
>>
>> i.e. if the certificate of your CAS server is ultimately
>> signed by "GTE
>> CyberTrust Global root", you should be able to indicate
>> "/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem" if you
>> are under Debian.
>>
>> This parameter is directly passed to the phpCAS library
>> (phpCAS::setCasServerCACert). I suppose the file can be a
>> bundle of known
>> certificates.
>>
>> In practice, you can also try to put the complete chain
>> (AC 1 -> AC 2 -> root
>> AC) in the file, if intermediate authorities are involved.
>>
>> If you have problems with it, in a step by step approach,
>> you can also leave
>> it blank : no verification of the CAS server certificate
>> will be made.
>>
>> HTH,
>>
>>
>> Thanks,
>> Laura
>>
>> On 10/26/11 6:50 AM, Xavier Montagutelli wrote:
>>
>> On Tuesday 25 October 2011 12:03:58 Maciej Uhlig
>> wrote:
>>
>> W dniu 2011-10-25 10:48, Jan Schneider pisze:
>>
>> Zitat von Laura
>> McCord<mccordl at southwestern.edu
>> <mailto:mccordl at southwestern.edu>>:
>>
>> Hi,
>>
>> I am trying to perform Horde WebMail
>> authentication using CAS. I was
>> wondering if this documentation is
>> still relevant that is found here
>> (Horde 3):
>> http://wiki.horde.org/CASAuthHowTo
>> http://www.esup-portail.org/display/PROJHORDE/Installation+de+Horde-we
>> bm ail
>>
>> Not for Horde 4.
>>
>> As far as I can see the second link above
>> points to installation with
>> Horde 4 information too.
>>
>> MU
>>
>> We have developed a new driver to authenticate
>> users against a CAS
>> server. The driver is still in a "rough" shape,
>> but it is useable. I am
>> afraid I can't afford spending more time on this
>> project right now, I
>> hope it will be enough for you.
>>
>> The documentation is in english if you retrieve
>> the whole SVN project
>> http://subversion.cru.fr/esup-horde/trunk
>>
>> Feel free to post on this list or directly to me
>> if you need help.
>>
>> HTH,
>>
>>
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>> <mailto:horde-unsubscribe at lists.horde.org>
>>
>>
>>
>>
>> --
>> Dominique LALOT
>> Ingénieur Systèmes et Réseaux
>> http://annuaire.univmed.fr/showuser.php?uid=lalot
>
>
>
>
> --
> Dominique LALOT
> Ingénieur Systèmes et Réseaux
> http://annuaire.univmed.fr/showuser.php?uid=lalot
More information about the horde
mailing list