[horde] Horde Imp CAS Authentication
Laura McCord
mccordl at southwestern.edu
Thu Nov 17 14:46:13 UTC 2011
Dom,
Yes, you're right, this is starting to get into imap specific questions
so I'll move this over to the appropriate mailing list.
Thanks,
Laura
On 11/17/11 1:29 AM, LALOT Dominique wrote:
> Just to say, that's no more horde specific. That's an imap setup
> question. And we are not using courrier-imap
> You need to tell your daemon -> use pam
> then put CAS and LDAP in pam in order to get imap client and horde
> working together.
>
> and have a cache for credential in order to avoid getting a new PT for
> each horde imap request
>
> Dom
>
> 2011/11/16 Laura McCord <mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>>
>
> Hi,
>
> Yes, we are using Courier-imap. What looks to be happening is that
> the authdaemond was running authldap, so it checks out the ldap
> configuration and bypasses my pam_cas information resulting in a
> failed cas authentication. So, I figured I needed to install the
> authpam module (the installation of libauthpam was successful) and
> indicate in the authdaemond to use authpam. . Next, I revised the
> authdaemond configuration by doing this....
> 'authmodulelist="authpam"'. Then, I made the assumption that by
> using authpam it knows to look in /etc/pam.d/imap for instruction.
> However, I don't understand how the password is
> validated...Doesn't ldap need to be tied in somewhere to confirm
> that the password is correct? As of now, the imap server is broken
> and doesn't look like cas is even reaching the imap server
> anymore. When I restarted the imapproxy server on my webmail
> server it's stating:
>
> in.imapproxyd[26163]: IMAP_Line_Read(): connection closed prematurely.
> in.imapproxyd[26163]: SetBannerAndCapability(): Error reading
> banner line from server on initial connection: Success -- Exiting.
>
> On the bright side, I'm really learning how the mailservers work
> here on campus ;)
>
> Thanks so much for your assistance.
>
> -Laura
>
>
>
> On 11/16/11 8:45 AM, Xavier Montagutelli wrote:
>
> On Friday 11 November 2011 22:02:47 Laura McCord wrote:
>
> I think I am getting really close to completion. After
> installing the
> pam_cas and trying to configure it, I can't determine if
> in fact it's
> being used. I feel like ldap is being used first instead
> of trying cas.
> I created the file /etc/pam.d/imap with the following info
> based on
> documentation that I found:
>
> imap auth sufficient /lib/security/pam_cas.so
> -simap://my.imap.server
> -f/etc/pam_cas.conf
> imap auth sufficient /lib/security/pam_ldap.so try_first_pass
>
> Then my pam_cas.conf looks like this:
>
> host my.cas.server
> port 443
> uriValidate /cas/proxyValidate
> ssl on
> debug on
> proxy https://my.webmail.server/webmail/casProxy.php
> trusted_ca /etc/ssl/servercerts/servercert.pem
>
> Is there something that I need to do on the imap server to
> make sure
> that the /etc/pam.d/imap file is being utilized since I
> manually created
> it?
>
> Which IMAP server do you use ? We use Cyrus-IMAP, which uses
> the SASL library,
> and this one uses PAM when doing a PLAIN password validation,
> using the
> service name "imap".
>
>
> Here's the log output I'm getting from imap:
> Nov 11 14:52:22 imapserver imapd: Connection, ip=[]
> Nov 11 14:52:22 imapserver authdaemond: received auth request,
> service=imap, authtype=login
>
> authdaemond suggests you are using Courier IMAP ?
>
>
>
> Many Thanks,
> Laura
>
> On 11/3/11 10:22 AM, LALOT Dominique wrote:
>
> 2011/11/3 Laura McCord<mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>
> <mailto:mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>>>
>
> Dom,
>
> Is that what imapproxy is used for? Or, is that
> something different?
>
> No, once you give your password to the real imap
> server, the server
> should keep an association between login and password
> and even
> passwords as you can log in via CAS, or directly
> (thunderbird, outlook).
> install saslauthd if you use cyrus imap or pam ccred.
> saslauthd is a
> little bit buggy about managing its cache.
> You can find a patch for it here:
>
> http://www.esup-portail.org/display/PROJPAMCAS/03+-+patch+saslauthd
>
> Dom
>
> Laura
>
> On 11/3/11 10:06 AM, LALOT Dominique wrote:
>
> 2011/11/3 Laura
> McCord<mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>
> <mailto:mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>>>
>
> Xavier,
>
> Thanks for the reply. I set the parameter
> to be blank and I
> bypassed the error message. I haven't
> configured our imap
> mail server yet. I was planning on
> installing the pam_cas
> module. Right now, I am figuring the
> reason why I am getting
> the too many redirects error is because
> it's trying to get a
> response from the imap server but since I
> don't have the
> pam_cas module installed it keeps trying
> to validate but it's
> getting no response. Hopefully I can get
> that module
> installed soon.
>
> Thanks,
>
> Laura
>
> Don't forget then to cache the credential on
> the imap server if
> you don't want to ask for a proxy ticket each
> time you click on a
> mail.
> Dom
>
> On 11/2/11 12:37 PM, Xavier Montagutelli
> wrote:
> Hi Laura,
>
> On Thursday 27 October 2011 19:54:07
> Laura McCord wrote:
> Xavier,
>
> I have a question about the
> conf.php file. I am stuck
> on the SSL CA
> Cert. Do I put the path of my
> horde server .crt file
> or do I put in the
> path to my CAS server
> certificates? And if it's the
> cas server does
> that mean the path to cacerts?
>
> I received the following error:
>
> "could not open URL .... (CURL
> error #77: Problem
> with the SSL CA cert
> (path? access rights?))
> [Client.php:2595]"
>
> (I was on vacation the past days)
>
> $conf['auth']['params']['cas_cacert']
> indicates the path,
> local to your horde
> server, to a file containing the
> certificate of the CA
> having issued the
> certificate of the CAS server. Or the
> certificate of the
> root authority if
> intermediate CA are in the chain.
>
> i.e. if the certificate of your CAS
> server is ultimately
> signed by "GTE
> CyberTrust Global root", you should be
> able to indicate
>
> "/etc/ssl/certs/GTE_CyberTrust_Global_Root.pem" if you
> are under Debian.
>
> This parameter is directly passed to
> the phpCAS library
> (phpCAS::setCasServerCACert). I
> suppose the file can be a
> bundle of known
> certificates.
>
> In practice, you can also try to put
> the complete chain
> (AC 1 -> AC 2 -> root
> AC) in the file, if intermediate
> authorities are involved.
>
> If you have problems with it, in a
> step by step approach,
> you can also leave
> it blank : no verification of the CAS
> server certificate
> will be made.
>
> HTH,
>
> Thanks,
>
> Laura
>
> On 10/26/11 6:50 AM, Xavier
> Montagutelli wrote:
> On Tuesday 25 October 2011
> 12:03:58 Maciej Uhlig
>
> wrote:
> W dniu 2011-10-25 10:48,
> Jan Schneider pisze:
> Zitat von Laura
>
> McCord<mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>
>
> <mailto:mccordl at southwestern.edu
> <mailto:mccordl at southwestern.edu>>>:
> Hi,
>
> I am trying to
> perform Horde WebMail
> authentication
> using CAS. I was
> wondering if this
> documentation is
> still relevant
> that is found here
> (Horde 3):
> http://wiki.horde.org/CASAuthHowTo
> http://www.esup-portail.org/display/PROJ
>
> HORDE/Installation+de+Horde-we bm ail
>
> Not for Horde 4.
>
> As far as I can see the
> second link above
> points to installation with
> Horde 4 information too.
>
> MU
>
> We have developed a new driver
> to authenticate
> users against a CAS
> server. The driver is still in
> a "rough" shape,
> but it is useable. I am
> afraid I can't afford spending
> more time on this
> project right now, I
> hope it will be enough for you.
>
> The documentation is in
> english if you retrieve
> the whole SVN project
> http://subversion.cru.fr/esup-horde/trunk
>
> Feel free to post on this list
> or directly to me
> if you need help.
>
> HTH,
>
>
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
> <mailto:horde-unsubscribe at lists.horde.org>
>
>
>
>
> --
> Dominique LALOT
> Ingénieur Systèmes et Réseaux
> http://annuaire.univmed.fr/showuser.php?uid=lalot
More information about the horde
mailing list