[horde] Horde Imp CAS Authentication

Xavier Montagutelli xavier.montagutelli at unilim.fr
Wed Nov 16 14:45:50 UTC 2011


On Friday 11 November 2011 22:02:47 Laura McCord wrote:
> I think I am getting really close to completion. After installing the
> pam_cas and trying to configure it, I can't determine if in fact it's
> being used. I feel like  ldap is being used first instead of trying cas.
> I created the file /etc/pam.d/imap with the following info based on
> documentation that I found:
> 
> imap auth sufficient /lib/security/pam_cas.so -simap://my.imap.server
> -f/etc/pam_cas.conf
> imap auth sufficient /lib/security/pam_ldap.so try_first_pass
> 
> Then my pam_cas.conf looks like this:
> 
> host my.cas.server
> port 443
> uriValidate /cas/proxyValidate
> ssl on
> debug on
> proxy https://my.webmail.server/webmail/casProxy.php
> trusted_ca /etc/ssl/servercerts/servercert.pem
> 
> Is there something that I need to do on the imap server to make sure
> that the /etc/pam.d/imap file is being utilized since I manually created
> it?

Which IMAP server do you use ? We use Cyrus-IMAP, which uses the SASL library, 
and this one uses PAM when doing a PLAIN password validation, using the 
service name "imap".

> Here's the log output I'm getting from imap:
> Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
> Nov 11 14:52:22 imapserver authdaemond: received auth request,
> service=imap, authtype=login

authdaemond suggests you are using Courier IMAP ?

> 
> 
> Many Thanks,
>   Laura
> 
> On 11/3/11 10:22 AM, LALOT Dominique wrote:
> > 2011/11/3 Laura McCord <mccordl at southwestern.edu
> > <mailto:mccordl at southwestern.edu>>
> > 
> >     Dom,
> >     
> >     Is that what imapproxy is used for? Or, is that something different?
> > 
> > No, once you give your password to the real imap server, the server
> > should keep an association between login and password and even
> > passwords as you can log in via CAS, or directly (thunderbird, outlook).
> > install saslauthd if you use cyrus imap or pam ccred. saslauthd is a
> > little bit buggy about managing its cache.
> > You can find a patch for it here:
> > 
> > http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd
> > 
> > Dom
> > 
> >     Laura
> >     
> >     On 11/3/11 10:06 AM, LALOT Dominique wrote:
> >>     2011/11/3 Laura McCord <mccordl at southwestern.edu
> >>     <mailto:mccordl at southwestern.edu>>
> >>     
> >>         Xavier,
> >>         
> >>         Thanks for the reply. I set the parameter to be blank and I
> >>         bypassed the error message. I haven't configured our imap
> >>         mail server yet. I was planning on installing the pam_cas
> >>         module. Right now, I am figuring the reason why I am getting
> >>         the too many redirects error is because it's trying to get a
> >>         response from the imap server but since I don't have the
> >>         pam_cas module installed it keeps trying to validate but it's
> >>         getting no response. Hopefully I can get that module
> >>         installed soon.
> >>         
> >>         Thanks,
> >>         
> >>          Laura
> >>     
> >>     Don't forget then to cache the credential on the imap server if
> >>     you don't want to ask for a proxy ticket each time you click on a
> >>     mail.
> >>     Dom
> >>     
> >>         On 11/2/11 12:37 PM, Xavier Montagutelli wrote:
> >>             Hi Laura,
> >>             
> >>             On Thursday 27 October 2011 19:54:07 Laura McCord wrote:
> >>                 Xavier,
> >>                 
> >>                 I have a question about the conf.php file. I am stuck
> >>                 on the SSL CA
> >>                 Cert. Do I put the path of my horde server .crt file
> >>                 or do I put in the
> >>                 path to my CAS server certificates?  And if it's the
> >>                 cas server does
> >>                 that mean the path to cacerts?
> >>                 
> >>                 I received the following error:
> >>                 
> >>                 "could not open URL .... (CURL error #77: Problem
> >>                 with the SSL CA cert
> >>                 (path? access rights?)) [Client.php:2595]"
> >>             
> >>             (I was on vacation the past days)
> >>             
> >>             $conf['auth']['params']['cas_cacert'] indicates the path,
> >>             local to your horde
> >>             server, to a file containing the certificate of the CA
> >>             having issued the
> >>             certificate of the CAS server. Or the certificate of the
> >>             root authority if
> >>             intermediate CA are in the chain.
> >>             
> >>             i.e. if the certificate of your CAS server is ultimately
> >>             signed by "GTE
> >>             CyberTrust Global root", you should be able to indicate
> >>             "/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem" if you
> >>             are under Debian.
> >>             
> >>             This parameter is directly passed to the phpCAS library
> >>             (phpCAS::setCasServerCACert). I suppose the file can be a
> >>             bundle of known
> >>             certificates.
> >>             
> >>             In practice, you can also try to put the complete chain
> >>             (AC 1 ->  AC 2 ->  root
> >>             AC) in the file, if intermediate authorities are involved.
> >>             
> >>             If you have problems with it, in a step by step approach,
> >>             you can also leave
> >>             it blank : no verification of the CAS server certificate
> >>             will be made.
> >>             
> >>             HTH,
> >>             
> >>                 Thanks,
> >>                 
> >>                   Laura
> >>                 
> >>                 On 10/26/11 6:50 AM, Xavier Montagutelli wrote:
> >>                     On Tuesday 25 October 2011 12:03:58 Maciej Uhlig
> >>                     
> >>                     wrote:
> >>                         W dniu 2011-10-25 10:48, Jan Schneider pisze:
> >>                             Zitat von Laura
> >>                             McCord<mccordl at southwestern.edu
> >>                             
> >>                             <mailto:mccordl at southwestern.edu>>:
> >>                                 Hi,
> >>                                 
> >>                                 I am trying to perform Horde WebMail
> >>                                 authentication using CAS. I was
> >>                                 wondering if this documentation is
> >>                                 still relevant  that is found here
> >>                                 (Horde 3):
> >>                                 http://wiki.horde.org/CASAuthHowTo
> >>                                 http://www.esup-portail.org/display/PROJ
> >>                                 HORDE/Installation+de+Horde-we bm ail
> >>                             
> >>                             Not for Horde 4.
> >>                         
> >>                         As far as I can see the second link above
> >>                         points to installation with
> >>                         Horde 4 information too.
> >>                         
> >>                         MU
> >>                     
> >>                     We have developed a new driver to authenticate
> >>                     users against a CAS
> >>                     server. The driver is still in a "rough" shape,
> >>                     but it is useable. I am
> >>                     afraid I can't afford spending more time on this
> >>                     project right now, I
> >>                     hope it will be enough for you.
> >>                     
> >>                     The documentation is in english if you retrieve
> >>                     the whole SVN project
> >>                     http://subversion.cru.fr/esup-horde/trunk
> >>                     
> >>                     Feel free to post on this list or directly to me
> >>                     if you need help.
> >>                     
> >>                     HTH,

-- 
Xavier Montagutelli
http://twitter.com/#!/XMontagutelli
Service Commun Informatique - Universite de Limoges
123, avenue Albert Thomas - 87060 Limoges cedex
Tel : +33 (0)5 55 45 77 20 /   Fax : +33 (0)5 55 45 75 95


More information about the horde mailing list