CAS_Authentication Plugin

[andl]

Hi List,

i am trying to get the new cas_authentication plugin (Version 0.4.2) working with roundcube 0.7.2 and the phpCAS 1.3.1.


I am not sure if i miss the point with the proxy for the imap service, but the description of the cas_authentication says
"This plugin replaces the RoundCube login page with authentication requests to a CAS server, which enables logging into RoundCube with identities
authenticated by the CAS server and acts as a CAS proxy to relay authenticated credentials to the IMAP backend."

So i think the proxy is integrated within this plugin, right or not?
Has someone got this working with this plugin?
Is there is special configuration required for the proxy?

Anyway my cas_debug.log says the following (mailcas is the imap and roundcube server, cas is the cas server):

28E4 .START phpCAS-1.3.1 ****************** [CAS.php:450]
28E4 .=> phpCAS::proxy('2.0', 'cas.company.de', 443, '/cas', false) [cas_authn.php:256]
28E4 .|    => CAS_Client::__construct('2.0', true, 'cas.company.de', 443, '/cas', false) [CAS.php:399]
28E4 .|    <= ''
28E4 .<= ''
28E4 .=> phpCAS::setFixedCallbackURL('https://mailcas.company.de/?_action=pgtcallback') [cas_authn.php:259]
28E4 .<= ''
28E4 .=> phpCAS::setPGTStorageFile('/tmp') [cas_authn.php:262]
28E4 .|    => CAS_PGTStorage_File::__construct(CAS_Client, '/tmp') [Client.php:2212]
28E4 .|    |    => CAS_PGTStorage_AbstractStorage::__construct(CAS_Client) [File.php:119]
28E4 .|    |    <= ''
28E4 .|    <= ''
28E4 .<= ''
28E4 .=> phpCAS::setFixedServiceURL('https://mailcas.company.de/?_action=caslogin') [cas_authn.php:269]
28E4 .<= ''
28E4 .=> phpCAS::setNoCasServerValidation() [cas_authn.php:279]
28E4 .|    You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1663]
28E4 .<= ''
28E4 .=> phpCAS::setServerLoginURL('') [cas_authn.php:283]
28E4 .<= ''
28E4 .=> phpCAS::setServerLogoutURL('') [cas_authn.php:284]
28E4 .<= ''
28E4 .=> phpCAS::forceAuthentication() [cas_authn.php:98]
28E4 .|    => CAS_Client::forceAuthentication() [CAS.php:1100]
28E4 .|    |    => CAS_Client::isAuthenticated() [Client.php:1081]
28E4 .|    |    |    => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1187]
28E4 .|    |    |    |    neither user nor PGT found [Client.php:1353]
28E4 .|    |    |    <= false
28E4 .|    |    |    no ticket found [Client.php:1256]
28E4 .|    |    <= false
28E4 .|    |    => CAS_Client::redirectToCas(false) [Client.php:1090]
28E4 .|    |    |    => CAS_Client::getServerLoginURL(false, false) [Client.php:1394]
28E4 .|    |    |    |    => CAS_Client::getURL() [Client.php:326]
28E4 .|    |    |    |    <= 'https://mailcas.company.de/?_action=caslogin'
28E4 .|    |    |    <= 'https://cas.company.de/cas/login?service=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dcaslogin'
28E4 .|    |    |    Redirect to : https://cas.company.de/cas/login?service=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dcaslogin [Client.php:1400]
28E4 .|    |    |    exit()
28E4 .|    |    |    -
28E4 .|    |    -
28E4 .|    -
8FBD .START phpCAS-1.3.1 ****************** [CAS.php:450]
8FBD .=> phpCAS::proxy('2.0', 'cas.company.de', 443, '/cas', false) [cas_authn.php:256]
8FBD .|    => CAS_Client::__construct('2.0', true, 'cas.company.de', 443, '/cas', false) [CAS.php:399]
8FBD .|    |    Ticket 'ST-442-CbqppfBNyzclIEA17Lvu-cas' found [Client.php:868]
8FBD .|    <= ''
8FBD .<= ''
8FBD .=> phpCAS::setFixedCallbackURL('https://mailcas.company.de/?_action=pgtcallback') [cas_authn.php:259]
8FBD .<= ''
8FBD .=> phpCAS::setPGTStorageFile('/tmp') [cas_authn.php:262]
8FBD .|    => CAS_PGTStorage_File::__construct(CAS_Client, '/tmp') [Client.php:2212]
8FBD .|    |    => CAS_PGTStorage_AbstractStorage::__construct(CAS_Client) [File.php:119]
8FBD .|    |    <= ''
8FBD .|    <= ''
8FBD .<= ''
8FBD .=> phpCAS::setFixedServiceURL('https://mailcas.company.de/?_action=caslogin') [cas_authn.php:269]
8FBD .<= ''
8FBD .=> phpCAS::setNoCasServerValidation() [cas_authn.php:279]
8FBD .|    You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1663]
8FBD .<= ''
8FBD .=> phpCAS::setServerLoginURL('') [cas_authn.php:283]
8FBD .<= ''
8FBD .=> phpCAS::setServerLogoutURL('') [cas_authn.php:284]
8FBD .<= ''
8FBD .=> phpCAS::forceAuthentication() [cas_authn.php:98]
8FBD .|    => CAS_Client::forceAuthentication() [CAS.php:1100]
8FBD .|    |    => CAS_Client::isAuthenticated() [Client.php:1081]
8FBD .|    |    |    => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1187]
8FBD .|    |    |    |    neither user nor PGT found [Client.php:1353]
8FBD .|    |    |    <= false
8FBD .|    |    |    CAS 2.0 ticket `ST-442-CbqppfBNyzclIEA17Lvu-cas' is present [Client.php:1221]
8FBD .|    |    |    => CAS_Client::validateCAS20('', NULL, NULL) [Client.php:1222]
8FBD .|    |    |    |     [Client.php:2736]
8FBD .|    |    |    |    => CAS_Client::getServerServiceValidateURL() [Client.php:2742]
8FBD .|    |    |    |    |    => CAS_Client::getURL() [Client.php:415]
8FBD .|    |    |    |    |    <= 'https://mailcas.company.de/?_action=caslogin'
8FBD .|    |    |    |    <= 'https://cas.company.de/cas/serviceValidate?service=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dcaslogin'
8FBD .|    |    |    |    => CAS_Client::_readURL('https://cas.company.de/cas/serviceValidate?service=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dcaslogin&ticket=ST-442-CbqppfBNyzclIEA17Lvu-cas&pgtUrl=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dpgtcallback', NULL, NULL, NULL) [Client.php:2751]
8FBD .|    |    |    |    |    => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:218]
8FBD .|    |    |    |    |    |    Response Body:
8FBD .|    |    |    |    |    |    <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
8FBD .|    |    |    |    |    |        <cas:authenticationSuccess>
8FBD .|    |    |    |    |    |                <cas:user>user.name</cas:user>
8FBD .|    |    |    |    |    |
8FBD .|    |    |    |    |    |
8FBD .|    |    |    |    |    |        </cas:authenticationSuccess>
8FBD .|    |    |    |    |    |    </cas:serviceResponse>
8FBD .|    |    |    |    |    |     [CurlRequest.php:82]
8FBD .|    |    |    |    |    <= true
8FBD .|    |    |    |    <= true
8FBD .|    |    |    |    => CAS_Client::_readExtraAttributesCas20(DOMNodeList) [Client.php:2802]
8FBD .|    |    |    |    |    Testing for rubycas style attributes [Client.php:2912]
8FBD .|    |    |    |    <= ''
8FBD .|    |    |    |    Storing Proxy List [Client.php:2811]
8FBD .|    |    |    |    => CAS_ProxyChain_AllowedList::isProxyListAllowed(array ()) [Client.php:2814]
8FBD .|    |    |    |    |    No proxies were found in the response [AllowedList.php:81]
8FBD .|    |    |    |    <= true
8FBD .|    |    |    |    => CAS_Client::_renameSession('ST-442-CbqppfBNyzclIEA17Lvu-cas') [Client.php:2845]
8FBD .|    |    |    |    |    Skipping session rename since phpCAS is not handling the session. [Client.php:3172]
8FBD .|    |    |    |    <= ''
8FBD .|    |    |    <= true
8FBD .|    |    |    CAS 2.0 ticket `ST-442-CbqppfBNyzclIEA17Lvu-cas' was validated [Client.php:1223]
8FBD .|    |    |    => CAS_Client::_validatePGT('https://cas.company.de/cas/serviceValidate?service=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dcaslogin&ticket=ST-442-CbqppfBNyzclIEA17Lvu-cas&pgtUrl=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dpgtcallback', '<cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\'>        <cas:authenticationSuccess>             <cas:user>user.name</cas:user>    </cas:authenticationSuccess></cas:serviceResponse>', DOMElement) [Client.php:1225]
8FBD .|    |    |    |    <proxyGrantingTicket> not found [Client.php:2235]
8FBD .|    |    |    |    => CAS_AuthenticationException::__construct(CAS_Client, 'Ticket validated but no PGT Iou transmitted', 'https://cas.company.de/cas/serviceValidate?service=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dcaslogin&ticket=ST-442-CbqppfBNyzclIEA17Lvu-cas&pgtUrl=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dpgtcallback', false, false, '<cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\'>  <cas:authenticationSuccess>             <cas:user>user.name</cas:user>    </cas:authenticationSuccess></cas:serviceResponse>') [Client.php:2241]
8FBD .|    |    |    |    |    => CAS_Client::getURL() [AuthenticationException.php:76]
8FBD .|    |    |    |    |    <= 'https://mailcas.company.de/?_action=caslogin'
8FBD .|    |    |    |    |    CAS URL: https://cas.company.de/cas/serviceValidate?service=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dcaslogin&ticket=ST-442-CbqppfBNyzclIEA17Lvu-cas&pgtUrl=https%3A%2F%2Fmailcas.company.de%2F%3F_action%3Dpgtcallback [AuthenticationException.php:79]
8FBD .|    |    |    |    |    Authentication failure: Ticket validated but no PGT Iou transmitted [AuthenticationException.php:80]
8FBD .|    |    |    |    |    Reason: no CAS error [AuthenticationException.php:93]
8FBD .|    |    |    |    |    CAS response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
8FBD .|    |    |    |    |     <cas:authenticationSuccess>
8FBD .|    |    |    |    |             <cas:user>user.name</cas:user>
8FBD .|    |    |    |    |
8FBD .|    |    |    |    |
8FBD .|    |    |    |    |     </cas:authenticationSuccess>
8FBD .|    |    |    |    |    </cas:serviceResponse> [AuthenticationException.php:100]
8FBD .|    |    |    |    |    exit()

I would appreciate any hints.
Andl

[dfwarden]

I did have this working at one point (0.6-ish) so hopefully I can help.

The way the plugin works you basically have 2 options, "proxy" mode or "master" mode, controlled by cas_imap_caching.

"Proxy" in this case is a CAS term. https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough is a nice overview of the steps in that process.

"Proxy" mode is basically generating a valid Service Ticket (ST) to be passed to your CAS-enabled IMAP authentication once the user has authenticated to the web/HTTPS CAS service for Roundcube.

"Master" mode is where a "master" password gets sent to the IMAP server on each successful CAS authentication.

So to answer your questions:

1) Yes, CAS proxy functionality is integrated in this plugin. It can perform the proxy steps from the walkthrough linked above.
2) At one point I did have it working, then forked the plugin to https://github.com/dfwarden/Roundcube-CAS-Authn because I wanted the CAS authentication path to be optional.
3) The special proxy configuration (if you want to use that method) is really done on the CAS and IMAP server. The CAS server needs an https service with "can proxy" enabled in the service manager (https://mailcas.company.de/?_action=caslogin) and an IMAP service. Then your IMAP server needs to somehow authenticate CAS tickets for that IMAP service. For most people running an open-source IMAP server on *nix, this can be accomplished by using pam_cas, which gives you a PAM module you can put in your IMAP server's PAM stack to authenticate CAS tickets. https://wiki.jasig.org/display/CASC/PAM+Module is a good place to start. I would recommend the esup-portail module over the Yale one since the former can use a text file (/etc/pam_cas.conf) for configuration whereas last time I checked the Yale one needs to know your configuration at compile time. Yale's may technically be more secure, but I prefer the flexibility of esup-portail.

Looking at your CAS log it looks like you may have cas_proxy set to false or may not have "can proxy" checked in the service manager for your HTTPS CAS service, or your CAS server may be having trouble with the pgtCallback step in the proxy process. If mailcas.company.de is more than one server (load balanced) then you need to use shared storage for PGTs.

HTH,
David Warden