CAS Client Module Deployment - Openroadvietnam/obm-integration GitHub Wiki
- OBM v2.5.3+
- Apache v2.2.15+
- MySQL v5.5.34+
- PHP v5.4.21+
- Roundcube Webmail v0.8.7+
- Roundcube CAS Plugin: https://github.com/dfwarden/Roundcube-CAS-Authn
- phpCAS 1.2.2: https://wiki.jasig.org/display/CASC/phpCAS
- Pam_cas-2.0.11-esup-2.0.5
# cd /usr/share/obm/php/webmail/config/ # cp main.inc.php main.inc.php.bak
# mkdir -p /usr/share/obm/php/webmail/plugins/cas_authn # chown -R apache.apache /usr/share/obm/php/webmail/plugins/cas_authn # ls -l /usr/share/obm/php/webmail/plugins | grep cas
# git clone [email protected]:dfwarden/Roundcube-CAS-Authn.git
# rsync -avz -e <your-ssh-port> cas_authn/* root@<your-server-hostname>:/usr/share/obm/php/webmail/plugins/cas_authn/
# cd /usr/share/obm/php/webmail/plugins/cas_authn/ # wget http://downloads.jasig.org/cas-clients/php/1.2.2/CAS-1.2.2.tgz # tar zxvf CAS-1.2.2.tgz # mv -v CAS-1.2.2/* . # rm -Rf CAS-1.2.2
# chown -R apache.apache /usr/share/obm/php/webmail/plugins/cas_authn
# cd /usr/share/obm/php/webmail/config/
# vim main.inc.php +383
// ---------------------------------- // PLUGINS // ---------------------------------- // List of active plugins (in plugins/ directory) //$rcmail_config['plugins'] = array('obm_cas_client'); $rcmail_config['plugins'] = array('cas_authn'); Save the config file and exit.
# cd /usr/share/obm/php/webmail/plugins/cas_authn/ # cp config.inc.php.dist config.inc.php/
# service httpd reload
https://<your-server-hostname>/webmail/
9. Click the button “Sign in using Central Authentication Service” if you want to authenticate users with SSO
- openssl v1.0.0
- development tools (gcc, cvs, libgcc...)
# cd /usr/share/obm/php/webmail/plugins/cas_authn/ # wget [https://sourcesup.renater.fr/frs/download.php/2418/Pam_cas-2.0.11-esup-2.0.5.tar.gz] # tar zxvf Pam_cas-2.0.11-esup-2.0.5.tar.gz
# rpm -qa | grep openssl # yum insall openssl
# rpm -qa | grep gcc # yum groupinstall "Development Tools"
# cd Pam_cas-2.0.11-esup-2.0.5/sources/ # mv Makefile.redhat Makefile # vim Makefile +8 CPFLAGS = -O2 -fPIC Save the file and exit. # make # make test # ldd pam_cas.so
# cd /usr/share/obm/php/webmail/plugins/cas_authn/Pam_cas-2.0.11-esup-2.0.5/ # less pam_cas.conf
# cd /usr/share/obm/php/webmail/plugins/cas_authn/Pam_cas-2.0.11-esup-2.0.5/sources # cp pam_cas.so /lib/security/ # cp ../pam_cas.conf /etc/ # ls -l /lib/security/ # cp /etc/pam.d/imap /etc/pam.d/imap.bak # vim /etc/pam.d/imap auth sufficient /lib/security/pam_cas.so -simap://<your-server-hostname> -f/etc/pam_cas.conf
Save the file and exit.
# service saslauthd restart # service cyrus-imapd restart
Following steps mentioned in the link below:
http://www.esup-portail.org/consortium/espace/SSO_1B/tech/cas/cas_pam.html
# openssl x509 -in <your-obm-certificate-path>/obm_certs.pem -out <your-obm-certificate-path>/obm_certs.der -outform DER
# keytool -import -storepass changeit -keystore /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/security/cacerts -file <your-obm-certificate-path>/obm_certs.der -alias <your-obm-server-hostname>
# keytool -v -list -storepass changeit -keystore /usr/lib/jvm/java-1.6.0-openjdk.x86_64/jre/lib/security/cacerts
# cd <your CATALINA_HOME>/webapps/cas/WEB-INF / # vim cas.properties
Add contents to the configuration file as below:
... server.name=https://<your-cas-server-hostname>:8443 cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}/proxyValidate host.name=<your-cas-server-hostname> ...
Save the file and exit
# cd /opt/openroad/bin/ # ./shutdown.sh # ./startup.sh # lsof -i :8443
# rpm -qa | grep pam_ldap # yum install pam_ldap
# vim /etc/pam.d/imap
Edit contents as below:
auth sufficient /lib/security/pam_cas.so -simap://<your-obm-server-hostname> -f/etc/pam_cas.conf account required pam_ldap.so #auth required pam_nologin.so #auth include password-auth #account include password-auth #session include password-auth
Save the file and exit..
# vim /etc/pam_cas.conf
Edit contents as below:
host <your-cas-server-hostname> port <your-cas-server-ssl-port> uriValidate /cas/proxyValidate ssl on debug on trusted_ca <path-to-cas-server-certs>/cas_server_certs.pem
# vim /etc/sysconfig/saslauthd
Edit contents as below:
# Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. MECH=pam # Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line. # DAEMONOPTS=--user saslauth # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS="-c"
# cp /etc/pam_ldap.conf /etc/pam_ldap.conf.bak # vim /etc/pam_ldap.conf
Edit contents as below:
base dc=local
# /etc/init.d/saslauthd restart # ps -ef | grep saslauthd
# vim cas_authn.php +106 ... // If control reaches this point, user is authenticated to CAS. $user = phpCAS::getUser(); $user .= '@<your-mail-domain>'; $pass = ''; ...
# cp /etc/obm/obm_conf.inc /etc/obm/obm_conf.inc.bak # vim /etc/obm/obm_conf.inc Edit contents as below: // authentification : 'CAS' (SSO AliaSuite), 'ldap' (LDAP authentication) or 'standalone' (default) $auth_kind = 'CAS'; $cas_server = '<your-cas-server-hostname>'; $cas_server_port = <your-cas-server-port>; $cas_server_uri = '/cas'; // CAS server SSL validation: 'ca' for // certificate from a CA, empty for no SSL validation. $cas_validation = "ca"; // CAS server certificate in PEM format, used when CAS validation is set to // 'self' or 'ca'. $cas_cert = '<path-to-cas-server-certs>/cas_server_certs.pem';##