[horde] Horde Imp CAS Authentication

Laura McCord mccordl at southwestern.edu
Wed Nov 16 16:14:56 UTC 2011


Hi,

Yes, we are using Courier-imap. What looks to be happening is that the 
authdaemond was running authldap, so it checks out the ldap 
configuration and bypasses my pam_cas information resulting in a failed 
cas authentication. So, I figured I needed to install the authpam module 
(the installation of libauthpam was successful) and indicate in the 
authdaemond to use authpam. . Next, I revised the authdaemond 
configuration by doing this.... 'authmodulelist="authpam"'. Then, I made 
the assumption that by using authpam it knows to look in /etc/pam.d/imap 
for instruction. However, I don't understand how the password is 
validated...Doesn't ldap need to be tied in somewhere to confirm that 
the password is correct? As of now, the imap server is broken and 
doesn't look like cas is even reaching the imap server anymore. When I 
restarted the imapproxy server on my webmail server it's stating:

in.imapproxyd[26163]: IMAP_Line_Read(): connection closed prematurely.
in.imapproxyd[26163]: SetBannerAndCapability(): Error reading banner 
line from server on initial connection: Success -- Exiting.

On the bright side, I'm really learning how the mailservers work here on 
campus ;)

Thanks so much for your assistance.

-Laura


On 11/16/11 8:45 AM, Xavier Montagutelli wrote:
> On Friday 11 November 2011 22:02:47 Laura McCord wrote:
>    
>> I think I am getting really close to completion. After installing the
>> pam_cas and trying to configure it, I can't determine if in fact it's
>> being used. I feel like  ldap is being used first instead of trying cas.
>> I created the file /etc/pam.d/imap with the following info based on
>> documentation that I found:
>>
>> imap auth sufficient /lib/security/pam_cas.so -simap://my.imap.server
>> -f/etc/pam_cas.conf
>> imap auth sufficient /lib/security/pam_ldap.so try_first_pass
>>
>> Then my pam_cas.conf looks like this:
>>
>> host my.cas.server
>> port 443
>> uriValidate /cas/proxyValidate
>> ssl on
>> debug on
>> proxy https://my.webmail.server/webmail/casProxy.php
>> trusted_ca /etc/ssl/servercerts/servercert.pem
>>
>> Is there something that I need to do on the imap server to make sure
>> that the /etc/pam.d/imap file is being utilized since I manually created
>> it?
>>      
> Which IMAP server do you use ? We use Cyrus-IMAP, which uses the SASL library,
> and this one uses PAM when doing a PLAIN password validation, using the
> service name "imap".
>
>    
>> Here's the log output I'm getting from imap:
>> Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
>> Nov 11 14:52:22 imapserver authdaemond: received auth request,
>> service=imap, authtype=login
>>      
> authdaemond suggests you are using Courier IMAP ?
>
>    
>>
>> Many Thanks,
>>    Laura
>>
>> On 11/3/11 10:22 AM, LALOT Dominique wrote:
>>      
>>> 2011/11/3 Laura McCord<mccordl at southwestern.edu
>>> <mailto:mccordl at southwestern.edu>>
>>>
>>>      Dom,
>>>
>>>      Is that what imapproxy is used for? Or, is that something different?
>>>
>>> No, once you give your password to the real imap server, the server
>>> should keep an association between login and password and even
>>> passwords as you can log in via CAS, or directly (thunderbird, outlook).
>>> install saslauthd if you use cyrus imap or pam ccred. saslauthd is a
>>> little bit buggy about managing its cache.
>>> You can find a patch for it here:
>>>
>>> http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd
>>>
>>> Dom
>>>
>>>      Laura
>>>
>>>      On 11/3/11 10:06 AM, LALOT Dominique wrote:
>>>        
>>>>      2011/11/3 Laura McCord<mccordl at southwestern.edu
>>>>      <mailto:mccordl at southwestern.edu>>
>>>>
>>>>          Xavier,
>>>>
>>>>          Thanks for the reply. I set the parameter to be blank and I
>>>>          bypassed the error message. I haven't configured our imap
>>>>          mail server yet. I was planning on installing the pam_cas
>>>>          module. Right now, I am figuring the reason why I am getting
>>>>          the too many redirects error is because it's trying to get a
>>>>          response from the imap server but since I don't have the
>>>>          pam_cas module installed it keeps trying to validate but it's
>>>>          getting no response. Hopefully I can get that module
>>>>          installed soon.
>>>>
>>>>          Thanks,
>>>>
>>>>           Laura
>>>>
>>>>      Don't forget then to cache the credential on the imap server if
>>>>      you don't want to ask for a proxy ticket each time you click on a
>>>>      mail.
>>>>      Dom
>>>>
>>>>          On 11/2/11 12:37 PM, Xavier Montagutelli wrote:
>>>>              Hi Laura,
>>>>
>>>>              On Thursday 27 October 2011 19:54:07 Laura McCord wrote:
>>>>                  Xavier,
>>>>
>>>>                  I have a question about the conf.php file. I am stuck
>>>>                  on the SSL CA
>>>>                  Cert. Do I put the path of my horde server .crt file
>>>>                  or do I put in the
>>>>                  path to my CAS server certificates?  And if it's the
>>>>                  cas server does
>>>>                  that mean the path to cacerts?
>>>>
>>>>                  I received the following error:
>>>>
>>>>                  "could not open URL .... (CURL error #77: Problem
>>>>                  with the SSL CA cert
>>>>                  (path? access rights?)) [Client.php:2595]"
>>>>
>>>>              (I was on vacation the past days)
>>>>
>>>>              $conf['auth']['params']['cas_cacert'] indicates the path,
>>>>              local to your horde
>>>>              server, to a file containing the certificate of the CA
>>>>              having issued the
>>>>              certificate of the CAS server. Or the certificate of the
>>>>              root authority if
>>>>              intermediate CA are in the chain.
>>>>
>>>>              i.e. if the certificate of your CAS server is ultimately
>>>>              signed by "GTE
>>>>              CyberTrust Global root", you should be able to indicate
>>>>              "/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem" if you
>>>>              are under Debian.
>>>>
>>>>              This parameter is directly passed to the phpCAS library
>>>>              (phpCAS::setCasServerCACert). I suppose the file can be a
>>>>              bundle of known
>>>>              certificates.
>>>>
>>>>              In practice, you can also try to put the complete chain
>>>>              (AC 1 ->   AC 2 ->   root
>>>>              AC) in the file, if intermediate authorities are involved.
>>>>
>>>>              If you have problems with it, in a step by step approach,
>>>>              you can also leave
>>>>              it blank : no verification of the CAS server certificate
>>>>              will be made.
>>>>
>>>>              HTH,
>>>>
>>>>                  Thanks,
>>>>
>>>>                    Laura
>>>>
>>>>                  On 10/26/11 6:50 AM, Xavier Montagutelli wrote:
>>>>                      On Tuesday 25 October 2011 12:03:58 Maciej Uhlig
>>>>
>>>>                      wrote:
>>>>                          W dniu 2011-10-25 10:48, Jan Schneider pisze:
>>>>                              Zitat von Laura
>>>>                              McCord<mccordl at southwestern.edu
>>>>
>>>>                              <mailto:mccordl at southwestern.edu>>:
>>>>                                  Hi,
>>>>
>>>>                                  I am trying to perform Horde WebMail
>>>>                                  authentication using CAS. I was
>>>>                                  wondering if this documentation is
>>>>                                  still relevant  that is found here
>>>>                                  (Horde 3):
>>>>                                  http://wiki.horde.org/CASAuthHowTo
>>>>                                  http://www.esup-portail.org/display/PROJ
>>>>                                  HORDE/Installation+de+Horde-we bm ail
>>>>
>>>>                              Not for Horde 4.
>>>>
>>>>                          As far as I can see the second link above
>>>>                          points to installation with
>>>>                          Horde 4 information too.
>>>>
>>>>                          MU
>>>>
>>>>                      We have developed a new driver to authenticate
>>>>                      users against a CAS
>>>>                      server. The driver is still in a "rough" shape,
>>>>                      but it is useable. I am
>>>>                      afraid I can't afford spending more time on this
>>>>                      project right now, I
>>>>                      hope it will be enough for you.
>>>>
>>>>                      The documentation is in english if you retrieve
>>>>                      the whole SVN project
>>>>                      http://subversion.cru.fr/esup-horde/trunk
>>>>
>>>>                      Feel free to post on this list or directly to me
>>>>                      if you need help.
>>>>
>>>>                      HTH,
>>>>          
>    



More information about the horde mailing list