[horde] Horde Imp CAS Authentication
Xavier Montagutelli
xavier.montagutelli at unilim.fr
Wed Nov 16 14:45:50 UTC 2011
On Friday 11 November 2011 22:02:47 Laura McCord wrote:
> I think I am getting really close to completion. After installing the
> pam_cas and trying to configure it, I can't determine if in fact it's
> being used. I feel like ldap is being used first instead of trying cas.
> I created the file /etc/pam.d/imap with the following info based on
> documentation that I found:
>
> imap auth sufficient /lib/security/pam_cas.so -simap://my.imap.server
> -f/etc/pam_cas.conf
> imap auth sufficient /lib/security/pam_ldap.so try_first_pass
>
> Then my pam_cas.conf looks like this:
>
> host my.cas.server
> port 443
> uriValidate /cas/proxyValidate
> ssl on
> debug on
> proxy https://my.webmail.server/webmail/casProxy.php
> trusted_ca /etc/ssl/servercerts/servercert.pem
>
> Is there something that I need to do on the imap server to make sure
> that the /etc/pam.d/imap file is being utilized since I manually created
> it?
Which IMAP server do you use ? We use Cyrus-IMAP, which uses the SASL library,
and this one uses PAM when doing a PLAIN password validation, using the
service name "imap".
> Here's the log output I'm getting from imap:
> Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
> Nov 11 14:52:22 imapserver authdaemond: received auth request,
> service=imap, authtype=login
authdaemond suggests you are using Courier IMAP ?
>
>
> Many Thanks,
> Laura
>
> On 11/3/11 10:22 AM, LALOT Dominique wrote:
> > 2011/11/3 Laura McCord <mccordl at southwestern.edu
> > <mailto:mccordl at southwestern.edu>>
> >
> > Dom,
> >
> > Is that what imapproxy is used for? Or, is that something different?
> >
> > No, once you give your password to the real imap server, the server
> > should keep an association between login and password and even
> > passwords as you can log in via CAS, or directly (thunderbird, outlook).
> > install saslauthd if you use cyrus imap or pam ccred. saslauthd is a
> > little bit buggy about managing its cache.
> > You can find a patch for it here:
> >
> > http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd
> >
> > Dom
> >
> > Laura
> >
> > On 11/3/11 10:06 AM, LALOT Dominique wrote:
> >> 2011/11/3 Laura McCord <mccordl at southwestern.edu
> >> <mailto:mccordl at southwestern.edu>>
> >>
> >> Xavier,
> >>
> >> Thanks for the reply. I set the parameter to be blank and I
> >> bypassed the error message. I haven't configured our imap
> >> mail server yet. I was planning on installing the pam_cas
> >> module. Right now, I am figuring the reason why I am getting
> >> the too many redirects error is because it's trying to get a
> >> response from the imap server but since I don't have the
> >> pam_cas module installed it keeps trying to validate but it's
> >> getting no response. Hopefully I can get that module
> >> installed soon.
> >>
> >> Thanks,
> >>
> >> Laura
> >>
> >> Don't forget then to cache the credential on the imap server if
> >> you don't want to ask for a proxy ticket each time you click on a
> >> mail.
> >> Dom
> >>
> >> On 11/2/11 12:37 PM, Xavier Montagutelli wrote:
> >> Hi Laura,
> >>
> >> On Thursday 27 October 2011 19:54:07 Laura McCord wrote:
> >> Xavier,
> >>
> >> I have a question about the conf.php file. I am stuck
> >> on the SSL CA
> >> Cert. Do I put the path of my horde server .crt file
> >> or do I put in the
> >> path to my CAS server certificates? And if it's the
> >> cas server does
> >> that mean the path to cacerts?
> >>
> >> I received the following error:
> >>
> >> "could not open URL .... (CURL error #77: Problem
> >> with the SSL CA cert
> >> (path? access rights?)) [Client.php:2595]"
> >>
> >> (I was on vacation the past days)
> >>
> >> $conf['auth']['params']['cas_cacert'] indicates the path,
> >> local to your horde
> >> server, to a file containing the certificate of the CA
> >> having issued the
> >> certificate of the CAS server. Or the certificate of the
> >> root authority if
> >> intermediate CA are in the chain.
> >>
> >> i.e. if the certificate of your CAS server is ultimately
> >> signed by "GTE
> >> CyberTrust Global root", you should be able to indicate
> >> "/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem" if you
> >> are under Debian.
> >>
> >> This parameter is directly passed to the phpCAS library
> >> (phpCAS::setCasServerCACert). I suppose the file can be a
> >> bundle of known
> >> certificates.
> >>
> >> In practice, you can also try to put the complete chain
> >> (AC 1 -> AC 2 -> root
> >> AC) in the file, if intermediate authorities are involved.
> >>
> >> If you have problems with it, in a step by step approach,
> >> you can also leave
> >> it blank : no verification of the CAS server certificate
> >> will be made.
> >>
> >> HTH,
> >>
> >> Thanks,
> >>
> >> Laura
> >>
> >> On 10/26/11 6:50 AM, Xavier Montagutelli wrote:
> >> On Tuesday 25 October 2011 12:03:58 Maciej Uhlig
> >>
> >> wrote:
> >> W dniu 2011-10-25 10:48, Jan Schneider pisze:
> >> Zitat von Laura
> >> McCord<mccordl at southwestern.edu
> >>
> >> <mailto:mccordl at southwestern.edu>>:
> >> Hi,
> >>
> >> I am trying to perform Horde WebMail
> >> authentication using CAS. I was
> >> wondering if this documentation is
> >> still relevant that is found here
> >> (Horde 3):
> >> http://wiki.horde.org/CASAuthHowTo
> >> http://www.esup-portail.org/display/PROJ
> >> HORDE/Installation+de+Horde-we bm ail
> >>
> >> Not for Horde 4.
> >>
> >> As far as I can see the second link above
> >> points to installation with
> >> Horde 4 information too.
> >>
> >> MU
> >>
> >> We have developed a new driver to authenticate
> >> users against a CAS
> >> server. The driver is still in a "rough" shape,
> >> but it is useable. I am
> >> afraid I can't afford spending more time on this
> >> project right now, I
> >> hope it will be enough for you.
> >>
> >> The documentation is in english if you retrieve
> >> the whole SVN project
> >> http://subversion.cru.fr/esup-horde/trunk
> >>
> >> Feel free to post on this list or directly to me
> >> if you need help.
> >>
> >> HTH,
--
Xavier Montagutelli
http://twitter.com/#!/XMontagutelli
Service Commun Informatique - Universite de Limoges
123, avenue Albert Thomas - 87060 Limoges cedex
Tel : +33 (0)5 55 45 77 20 / Fax : +33 (0)5 55 45 75 95
More information about the horde
mailing list