[horde] Horde Imp CAS Authentication
LALOT Dominique
dom.lalot at gmail.com
Thu Nov 17 07:29:24 UTC 2011
Just to say, that's no more horde specific. That's an imap setup question.
And we are not using courrier-imap
You need to tell your daemon -> use pam
then put CAS and LDAP in pam in order to get imap client and horde working
together.
and have a cache for credential in order to avoid getting a new PT for each
horde imap request
Dom
2011/11/16 Laura McCord <mccordl at southwestern.edu>
> Hi,
>
> Yes, we are using Courier-imap. What looks to be happening is that the
> authdaemond was running authldap, so it checks out the ldap configuration
> and bypasses my pam_cas information resulting in a failed cas
> authentication. So, I figured I needed to install the authpam module (the
> installation of libauthpam was successful) and indicate in the authdaemond
> to use authpam. . Next, I revised the authdaemond configuration by doing
> this.... 'authmodulelist="authpam"'. Then, I made the assumption that by
> using authpam it knows to look in /etc/pam.d/imap for instruction. However,
> I don't understand how the password is validated...Doesn't ldap need to be
> tied in somewhere to confirm that the password is correct? As of now, the
> imap server is broken and doesn't look like cas is even reaching the imap
> server anymore. When I restarted the imapproxy server on my webmail server
> it's stating:
>
> in.imapproxyd[26163]: IMAP_Line_Read(): connection closed prematurely.
> in.imapproxyd[26163]: SetBannerAndCapability(): Error reading banner line
> from server on initial connection: Success -- Exiting.
>
> On the bright side, I'm really learning how the mailservers work here on
> campus ;)
>
> Thanks so much for your assistance.
>
> -Laura
>
>
>
> On 11/16/11 8:45 AM, Xavier Montagutelli wrote:
>
>> On Friday 11 November 2011 22:02:47 Laura McCord wrote:
>>
>>
>>> I think I am getting really close to completion. After installing the
>>> pam_cas and trying to configure it, I can't determine if in fact it's
>>> being used. I feel like ldap is being used first instead of trying cas.
>>> I created the file /etc/pam.d/imap with the following info based on
>>> documentation that I found:
>>>
>>> imap auth sufficient /lib/security/pam_cas.so -simap://my.imap.server
>>> -f/etc/pam_cas.conf
>>> imap auth sufficient /lib/security/pam_ldap.so try_first_pass
>>>
>>> Then my pam_cas.conf looks like this:
>>>
>>> host my.cas.server
>>> port 443
>>> uriValidate /cas/proxyValidate
>>> ssl on
>>> debug on
>>> proxy https://my.webmail.server/**webmail/casProxy.php<https://my.webmail.server/webmail/casProxy.php>
>>> trusted_ca /etc/ssl/servercerts/**servercert.pem
>>>
>>> Is there something that I need to do on the imap server to make sure
>>> that the /etc/pam.d/imap file is being utilized since I manually created
>>> it?
>>>
>>>
>> Which IMAP server do you use ? We use Cyrus-IMAP, which uses the SASL
>> library,
>> and this one uses PAM when doing a PLAIN password validation, using the
>> service name "imap".
>>
>>
>>
>>> Here's the log output I'm getting from imap:
>>> Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
>>> Nov 11 14:52:22 imapserver authdaemond: received auth request,
>>> service=imap, authtype=login
>>>
>>>
>> authdaemond suggests you are using Courier IMAP ?
>>
>>
>>
>>>
>>> Many Thanks,
>>> Laura
>>>
>>> On 11/3/11 10:22 AM, LALOT Dominique wrote:
>>>
>>>
>>>> 2011/11/3 Laura McCord<mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>> <mailto:mccordl at southwestern.**edu <mccordl at southwestern.edu>>>
>>>>
>>>> Dom,
>>>>
>>>> Is that what imapproxy is used for? Or, is that something different?
>>>>
>>>> No, once you give your password to the real imap server, the server
>>>> should keep an association between login and password and even
>>>> passwords as you can log in via CAS, or directly (thunderbird, outlook).
>>>> install saslauthd if you use cyrus imap or pam ccred. saslauthd is a
>>>> little bit buggy about managing its cache.
>>>> You can find a patch for it here:
>>>>
>>>> http://www.esup-portail.org/**display/PROJPAMCAS/03+-+patch+**saslauthd<http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd>
>>>>
>>>> Dom
>>>>
>>>> Laura
>>>>
>>>> On 11/3/11 10:06 AM, LALOT Dominique wrote:
>>>>
>>>>
>>>>> 2011/11/3 Laura McCord<mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>>> <mailto:mccordl at southwestern.**edu <mccordl at southwestern.edu>>>
>>>>>
>>>>> Xavier,
>>>>>
>>>>> Thanks for the reply. I set the parameter to be blank and I
>>>>> bypassed the error message. I haven't configured our imap
>>>>> mail server yet. I was planning on installing the pam_cas
>>>>> module. Right now, I am figuring the reason why I am getting
>>>>> the too many redirects error is because it's trying to get a
>>>>> response from the imap server but since I don't have the
>>>>> pam_cas module installed it keeps trying to validate but it's
>>>>> getting no response. Hopefully I can get that module
>>>>> installed soon.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Laura
>>>>>
>>>>> Don't forget then to cache the credential on the imap server if
>>>>> you don't want to ask for a proxy ticket each time you click on a
>>>>> mail.
>>>>> Dom
>>>>>
>>>>> On 11/2/11 12:37 PM, Xavier Montagutelli wrote:
>>>>> Hi Laura,
>>>>>
>>>>> On Thursday 27 October 2011 19:54:07 Laura McCord wrote:
>>>>> Xavier,
>>>>>
>>>>> I have a question about the conf.php file. I am stuck
>>>>> on the SSL CA
>>>>> Cert. Do I put the path of my horde server .crt file
>>>>> or do I put in the
>>>>> path to my CAS server certificates? And if it's the
>>>>> cas server does
>>>>> that mean the path to cacerts?
>>>>>
>>>>> I received the following error:
>>>>>
>>>>> "could not open URL .... (CURL error #77: Problem
>>>>> with the SSL CA cert
>>>>> (path? access rights?)) [Client.php:2595]"
>>>>>
>>>>> (I was on vacation the past days)
>>>>>
>>>>> $conf['auth']['params']['cas_**cacert'] indicates the
>>>>> path,
>>>>> local to your horde
>>>>> server, to a file containing the certificate of the CA
>>>>> having issued the
>>>>> certificate of the CAS server. Or the certificate of the
>>>>> root authority if
>>>>> intermediate CA are in the chain.
>>>>>
>>>>> i.e. if the certificate of your CAS server is ultimately
>>>>> signed by "GTE
>>>>> CyberTrust Global root", you should be able to indicate
>>>>> "/etc/ssl/certs/GTE_**CyberTrust_Global_Root.pem" if you
>>>>> are under Debian.
>>>>>
>>>>> This parameter is directly passed to the phpCAS library
>>>>> (phpCAS::setCasServerCACert). I suppose the file can be a
>>>>> bundle of known
>>>>> certificates.
>>>>>
>>>>> In practice, you can also try to put the complete chain
>>>>> (AC 1 -> AC 2 -> root
>>>>> AC) in the file, if intermediate authorities are involved.
>>>>>
>>>>> If you have problems with it, in a step by step approach,
>>>>> you can also leave
>>>>> it blank : no verification of the CAS server certificate
>>>>> will be made.
>>>>>
>>>>> HTH,
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Laura
>>>>>
>>>>> On 10/26/11 6:50 AM, Xavier Montagutelli wrote:
>>>>> On Tuesday 25 October 2011 12:03:58 Maciej Uhlig
>>>>>
>>>>> wrote:
>>>>> W dniu 2011-10-25 10:48, Jan Schneider pisze:
>>>>> Zitat von Laura
>>>>> McCord<mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>>>
>>>>> <mailto:mccordl at southwestern.**edu<mccordl at southwestern.edu>
>>>>> >>:
>>>>> Hi,
>>>>>
>>>>> I am trying to perform Horde WebMail
>>>>> authentication using CAS. I was
>>>>> wondering if this documentation is
>>>>> still relevant that is found here
>>>>> (Horde 3):
>>>>> http://wiki.horde.org/**CASAuthHowTo<http://wiki.horde.org/CASAuthHowTo>
>>>>> http://www.esup-portail.org/**
>>>>> display/PROJ <http://www.esup-portail.org/display/PROJ>
>>>>> HORDE/Installation+de+Horde-we bm ail
>>>>>
>>>>> Not for Horde 4.
>>>>>
>>>>> As far as I can see the second link above
>>>>> points to installation with
>>>>> Horde 4 information too.
>>>>>
>>>>> MU
>>>>>
>>>>> We have developed a new driver to authenticate
>>>>> users against a CAS
>>>>> server. The driver is still in a "rough" shape,
>>>>> but it is useable. I am
>>>>> afraid I can't afford spending more time on this
>>>>> project right now, I
>>>>> hope it will be enough for you.
>>>>>
>>>>> The documentation is in english if you retrieve
>>>>> the whole SVN project
>>>>> http://subversion.cru.fr/esup-**horde/trunk<http://subversion.cru.fr/esup-horde/trunk>
>>>>>
>>>>> Feel free to post on this list or directly to me
>>>>> if you need help.
>>>>>
>>>>> HTH,
>>>>>
>>>>>
>>>>
>>
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.**org<horde-unsubscribe at lists.horde.org>
>
--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot
More information about the horde
mailing list