Firstly let me explain our solution's idea: SquirrelMail is using IMAP server as its backend. No matter which login method you are using, when people send the email, SquirrelMail will send the username with mail together to its IMAP backend. That means, your IMAP backend and your SquirrelMail must have same datasource. We are using dovecot as our IMAP server, since its very flexible and support many datasources(LDAP, Database, file...) to store its userinfo. And we are using PostgreSQL database as its user data source.
So now the problem is to Casifying the SquirrelMail, and let it use the same datasource. This is very easy to achieve with CAS, but it's not the only thing we need to care about: SquirrelMail has a IMAP backend, after user logged in to it, the system get the user's ID($login_username in SquirrelMail), but not the password. That's the problem, because SquirrelMail do need the user's password when it is sending user's email to IMAP backend. Because SquirrelMail need to log in to dovecot(with username and password provided) and then do the email sending. In standard method as described in CAS document, you should use CAS Proxy Scheme to achieve this goal, which is absolutely the most secure and reliable way to do it. You turn the SquirrelMail into a Proxy and dovecot will use SquirrelMail and CAS to do the authentication: After user logged into SquirrelMail, the system get his/her username, and when the user sending email, SquirrelMail will apply a ProxyTicket(PT) for dovecot, and then dovecot will use PT to get the user's name and pass its authentication and then send the email. In whole scenario will no longer use user's password, CAS will help and ensure the whole process work. But I didn't use the above 'Standard Method', not because configuring dovecot to enroll in cas process is complex(honestly, it is complex for someone who don't understand SSL and CAS Proxy well), but because I cannot find a proper place to insert proxy scheme into SquirrelMail. If I use CAS Proxy, it seems I must rewrite some core part of SquirrelMail(make a independent module for CAS Proxy and then integrate into sending mail process, with quite a few of code modifying). That's not good for our business needing. What we want is to make the cas integration layer as thin as possible, and the code modification is minimum. So we find another way. Without using the Proxy method, what's the difference before and after we Casfying the SquirrelMail? That is we can no longer get the user's password as before. Without cas, user will login with SquirrelMail's login page(login.php) with his/her username and password, and then the login form will be forward into system(redirect.php) and squirrelmail will store the username and password into session. After later when user send their email, SquirrelMail will use the username and password to login to IMAP backend. Why should we break this rule? With CAS integrated, we can still use the same way. What we lose is just the password of user, we can still get it back. The user info is stored in database, and we have the username by our hand from CAS after user successfully logged in. What we should do is just to get the user's password from database with his/ her username gotten from CAS. So I just modify a single file: login.php, with less than 40 lines of code, our integration finished. If you see the detail change in: http://edupass.chinaedu.net:8080/fisheye/browse/default/squirrelmail/src/login.php?r=1644 , you will find I didn't modify anything of the SquirrelMail's login process, it still use the same form to do the authentication, just the user name and password is no longer from SqurrielMail's login face. The username is from CAS now: $principal = phpCAS::getUser(); And then the users password is retrieved from the database. Actually in our project, I didn't get the user's password from database directly, but from a WebService I wrote by myself(the reason I'll explain later): $credential = $client->get_credential($principal); As you've seen, $wsdl_url = 'http://127.0.0.1:8080/services/QImpl? wsdl'; this one is our webservice's wsdl endpoint. Finally, the username and password is passed into SquirrelMail's login form and the futher step is no difference. Voila, there's no PAM setup, no dovecot Casfying, just a few lines of modification in a single PHP file in SquirrelMail, and you get it Casfied. Why I don't call database directly, but use a webservice to get user password? That is because some of our business's specific needings, so you don't need to care much about it, just calling your datasource with PHP is also fine. Be IN CAUTION that get user's password from username is a very DANGEROUS operation. So you must carefully configure your interface(no matter webservice or database or something else) with security in mind. You must just let SP host only to connect to the interface and at best using SSL tunnel in between. That's all what I did. And wish you good luck! - modifications on SquirrelMail: http://edupass.chinaedu.net:8080/fisheye/browse/default/squirrelmail/src/login.php?r=1644 (function squirrelmail_loginpage_onload should be uncommented) - our webservice's impl, see http://edupass.chinaedu.net:8080/fisheye/browse/default/edupass/edupass-service/src/main/java/net/chinaedu/edupass/idp/service/QImpl.java?r=1635 - A very good explanation in CAS Proxy if you are interested: http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough - The CAS Proxy demo, source code and a Video Demo I made: http://edupass.chinaedu.net:8080/wiki/display/general/CAS+Proxy+Demo BRs, - Li Wei Nan Senior System Architecture Engineer, R&D Dept. TEL: 86 10 13681565097 E-MAIL: [email protected] ChinaEdu, Inc. (NasdaqGM:CEDU) http://www.chinaedu.net > > > On Feb 16, 2009, at 9:32 PM, Han Sue Cien wrote: > >> Hi, >> >> >> I've been long ago trying to casify Squirrelmail without success ! >> Your paper about this is quite interesting. >> I just wonder if the paper contents the hole instruction or part of >> it ? >> I mean : do you set up pam_cas, additional stuff in httpd.conf, >> dovecot ? >> >> About your program login.php : >> -which SOAP/client.php included (/usr/share/pear/doc/SOAP/example/ >> wsdl_client.php or /usr/share/pear/doc/SOAP/example/client.php) ? >> -in the line >> $wsdl_url = 'http://127.0.0.1:8080/services/QImpl?wsdl'; >> what is the meaning of QImpl, and how to set it up ? >> Thanks in advance for your reply. >> >> Sue Cien >> >> Ne pleurez pas si votre Webmail ferme. Récupérez votre historique >> sur Yahoo! Mail > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
