[horde] Horde Imp CAS Authentication

LALOT Dominique dom.lalot at gmail.com
Thu Nov 17 07:29:24 UTC 2011


Just to say, that's no more horde specific. That's an imap setup question.
And we are not using courrier-imap
You need to tell your daemon -> use pam
then put CAS and LDAP in pam in order to get imap client and horde working
together.

and have a cache for credential in order to avoid getting a new PT for each
horde imap request

Dom

2011/11/16 Laura McCord <mccordl at southwestern.edu>

> Hi,
>
> Yes, we are using Courier-imap. What looks to be happening is that the
> authdaemond was running authldap, so it checks out the ldap configuration
> and bypasses my pam_cas information resulting in a failed cas
> authentication. So, I figured I needed to install the authpam module (the
> installation of libauthpam was successful) and indicate in the authdaemond
> to use authpam. . Next, I revised the authdaemond configuration by doing
> this.... 'authmodulelist="authpam"'. Then, I made the assumption that by
> using authpam it knows to look in /etc/pam.d/imap for instruction. However,
> I don't understand how the password is validated...Doesn't ldap need to be
> tied in somewhere to confirm that the password is correct? As of now, the
> imap server is broken and doesn't look like cas is even reaching the imap
> server anymore. When I restarted the imapproxy server on my webmail server
> it's stating:
>
> in.imapproxyd[26163]: IMAP_Line_Read(): connection closed prematurely.
> in.imapproxyd[26163]: SetBannerAndCapability(): Error reading banner line
> from server on initial connection: Success -- Exiting.
>
> On the bright side, I'm really learning how the mailservers work here on
> campus ;)
>
> Thanks so much for your assistance.
>
> -Laura
>
>
>
> On 11/16/11 8:45 AM, Xavier Montagutelli wrote:
>
>> On Friday 11 November 2011 22:02:47 Laura McCord wrote:
>>
>>
>>> I think I am getting really close to completion. After installing the
>>> pam_cas and trying to configure it, I can't determine if in fact it's
>>> being used. I feel like  ldap is being used first instead of trying cas.
>>> I created the file /etc/pam.d/imap with the following info based on
>>> documentation that I found:
>>>
>>> imap auth sufficient /lib/security/pam_cas.so -simap://my.imap.server
>>> -f/etc/pam_cas.conf
>>> imap auth sufficient /lib/security/pam_ldap.so try_first_pass
>>>
>>> Then my pam_cas.conf looks like this:
>>>
>>> host my.cas.server
>>> port 443
>>> uriValidate /cas/proxyValidate
>>> ssl on
>>> debug on
>>> proxy https://my.webmail.server/**webmail/casProxy.php<https://my.webmail.server/webmail/casProxy.php>
>>> trusted_ca /etc/ssl/servercerts/**servercert.pem
>>>
>>> Is there something that I need to do on the imap server to make sure
>>> that the /etc/pam.d/imap file is being utilized since I manually created
>>> it?
>>>
>>>
>> Which IMAP server do you use ? We use Cyrus-IMAP, which uses the SASL
>> library,
>> and this one uses PAM when doing a PLAIN password validation, using the
>> service name "imap".
>>
>>
>>
>>> Here's the log output I'm getting from imap:
>>> Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
>>> Nov 11 14:52:22 imapserver authdaemond: received auth request,
>>> service=imap, authtype=login
>>>
>>>
>> authdaemond suggests you are using Courier IMAP ?
>>
>>
>>
>>>
>>> Many Thanks,
>>>   Laura
>>>
>>> On 11/3/11 10:22 AM, LALOT Dominique wrote:
>>>
>>>
>>>> 2011/11/3 Laura McCord<mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>> <mailto:mccordl at southwestern.**edu <mccordl at southwestern.edu>>>
>>>>
>>>>     Dom,
>>>>
>>>>     Is that what imapproxy is used for? Or, is that something different?
>>>>
>>>> No, once you give your password to the real imap server, the server
>>>> should keep an association between login and password and even
>>>> passwords as you can log in via CAS, or directly (thunderbird, outlook).
>>>> install saslauthd if you use cyrus imap or pam ccred. saslauthd is a
>>>> little bit buggy about managing its cache.
>>>> You can find a patch for it here:
>>>>
>>>> http://www.esup-portail.org/**display/PROJPAMCAS/03+-+patch+**saslauthd<http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd>
>>>>
>>>> Dom
>>>>
>>>>     Laura
>>>>
>>>>     On 11/3/11 10:06 AM, LALOT Dominique wrote:
>>>>
>>>>
>>>>>     2011/11/3 Laura McCord<mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>>>     <mailto:mccordl at southwestern.**edu <mccordl at southwestern.edu>>>
>>>>>
>>>>>         Xavier,
>>>>>
>>>>>         Thanks for the reply. I set the parameter to be blank and I
>>>>>         bypassed the error message. I haven't configured our imap
>>>>>         mail server yet. I was planning on installing the pam_cas
>>>>>         module. Right now, I am figuring the reason why I am getting
>>>>>         the too many redirects error is because it's trying to get a
>>>>>         response from the imap server but since I don't have the
>>>>>         pam_cas module installed it keeps trying to validate but it's
>>>>>         getting no response. Hopefully I can get that module
>>>>>         installed soon.
>>>>>
>>>>>         Thanks,
>>>>>
>>>>>          Laura
>>>>>
>>>>>     Don't forget then to cache the credential on the imap server if
>>>>>     you don't want to ask for a proxy ticket each time you click on a
>>>>>     mail.
>>>>>     Dom
>>>>>
>>>>>         On 11/2/11 12:37 PM, Xavier Montagutelli wrote:
>>>>>             Hi Laura,
>>>>>
>>>>>             On Thursday 27 October 2011 19:54:07 Laura McCord wrote:
>>>>>                 Xavier,
>>>>>
>>>>>                 I have a question about the conf.php file. I am stuck
>>>>>                 on the SSL CA
>>>>>                 Cert. Do I put the path of my horde server .crt file
>>>>>                 or do I put in the
>>>>>                 path to my CAS server certificates?  And if it's the
>>>>>                 cas server does
>>>>>                 that mean the path to cacerts?
>>>>>
>>>>>                 I received the following error:
>>>>>
>>>>>                 "could not open URL .... (CURL error #77: Problem
>>>>>                 with the SSL CA cert
>>>>>                 (path? access rights?)) [Client.php:2595]"
>>>>>
>>>>>             (I was on vacation the past days)
>>>>>
>>>>>             $conf['auth']['params']['cas_**cacert'] indicates the
>>>>> path,
>>>>>             local to your horde
>>>>>             server, to a file containing the certificate of the CA
>>>>>             having issued the
>>>>>             certificate of the CAS server. Or the certificate of the
>>>>>             root authority if
>>>>>             intermediate CA are in the chain.
>>>>>
>>>>>             i.e. if the certificate of your CAS server is ultimately
>>>>>             signed by "GTE
>>>>>             CyberTrust Global root", you should be able to indicate
>>>>>             "/etc/ssl/certs/GTE_**CyberTrust_Global_Root.pem" if you
>>>>>             are under Debian.
>>>>>
>>>>>             This parameter is directly passed to the phpCAS library
>>>>>             (phpCAS::setCasServerCACert). I suppose the file can be a
>>>>>             bundle of known
>>>>>             certificates.
>>>>>
>>>>>             In practice, you can also try to put the complete chain
>>>>>             (AC 1 ->   AC 2 ->   root
>>>>>             AC) in the file, if intermediate authorities are involved.
>>>>>
>>>>>             If you have problems with it, in a step by step approach,
>>>>>             you can also leave
>>>>>             it blank : no verification of the CAS server certificate
>>>>>             will be made.
>>>>>
>>>>>             HTH,
>>>>>
>>>>>                 Thanks,
>>>>>
>>>>>                   Laura
>>>>>
>>>>>                 On 10/26/11 6:50 AM, Xavier Montagutelli wrote:
>>>>>                     On Tuesday 25 October 2011 12:03:58 Maciej Uhlig
>>>>>
>>>>>                     wrote:
>>>>>                         W dniu 2011-10-25 10:48, Jan Schneider pisze:
>>>>>                             Zitat von Laura
>>>>>                             McCord<mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>>>
>>>>>                             <mailto:mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>>> >>:
>>>>>                                 Hi,
>>>>>
>>>>>                                 I am trying to perform Horde WebMail
>>>>>                                 authentication using CAS. I was
>>>>>                                 wondering if this documentation is
>>>>>                                 still relevant  that is found here
>>>>>                                 (Horde 3):
>>>>>                                 http://wiki.horde.org/**CASAuthHowTo<http://wiki.horde.org/CASAuthHowTo>
>>>>>                                 http://www.esup-portail.org/**
>>>>> display/PROJ <http://www.esup-portail.org/display/PROJ>
>>>>>                                 HORDE/Installation+de+Horde-we bm ail
>>>>>
>>>>>                             Not for Horde 4.
>>>>>
>>>>>                         As far as I can see the second link above
>>>>>                         points to installation with
>>>>>                         Horde 4 information too.
>>>>>
>>>>>                         MU
>>>>>
>>>>>                     We have developed a new driver to authenticate
>>>>>                     users against a CAS
>>>>>                     server. The driver is still in a "rough" shape,
>>>>>                     but it is useable. I am
>>>>>                     afraid I can't afford spending more time on this
>>>>>                     project right now, I
>>>>>                     hope it will be enough for you.
>>>>>
>>>>>                     The documentation is in english if you retrieve
>>>>>                     the whole SVN project
>>>>>                     http://subversion.cru.fr/esup-**horde/trunk<http://subversion.cru.fr/esup-horde/trunk>
>>>>>
>>>>>                     Feel free to post on this list or directly to me
>>>>>                     if you need help.
>>>>>
>>>>>                     HTH,
>>>>>
>>>>>
>>>>
>>
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.**org<horde-unsubscribe at lists.horde.org>
>



-- 
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot


More information about the horde mailing list