Hello, I'm new to CAS. We've been using a different SSO system for our Intranet, but are moving to CAS because it means not having to go through a distant reverse-proxy on every http request.
I've been configuring an Apache httpd instance to use mod_auth_cas. As far as I can tell, I have things configured right in /etc/httpd/conf.d/auth_cas.conf. But when I try navigating to the protected URLs from a browser (e.g. http://mydomain/arcgis/rest/services), Apache serves the pages without (AFAICT) doing any CAS authentication at all. At the bottom of this email are my mod_auth_cas settings. As you can see, I turned on CASDebug to see if I could get any clues. But I don't see any mod_auth_cas debug output appearing in either the httpd error log or httpd access log. I know that mod_auth_cas module is loading because when I was first setting up the configuration, I had invalid settings and errors were generated in the error log. I also set LogLevel to "debug" for all of httpd, with the result that I get lots of debugging output in the error log, especially for proxy_util.c, and some for SSL_scache_shmcb.c Speaking of proxy, I will also attach the proxy-related settings from httpd.conf, in case that is affecting the use of CAS. As you can see from auth_cas.conf, I waffled a bit on whether to use <Location> with a URL, or <Directory> with a proxy:URL. I would prefer the former as cleaner, but was willing to try the other to get it to work. Any help is appreciated... either 1) how to protect the /arcgis/* URLs, requiring CAS authentication or 2) how to find the debug output from mod_auth_cas, in order to debug why 1 isn't happening. Thanks, Lars # /etc/httpd/conf.d/auth_cas.conf: Config file for mod_auth_cas # by Lars Huttar, 2009-06-18 # following http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas # Load CAS module -- Lars Huttar, 2009-06-17 LoadModule auth_cas_module modules/mod_auth_cas.so CASDebug On # The doc says the default for CASCookiePath is /tmp/cas/, but when # I don't set this I get errors saying it's /dev/null! So I'll set it. CASCookiePath /tmp/cas/ # Prod: CASLoginURL https://www.cas.insitehome.org/login # QA: CASLoginURL https://qa.cas.insitehome.org/login CASLoginURL https://qa.cas.insitehome.org/login # Prod: CASValidateURL https://www.cas.insitehome.org/validate # QA: CASValidateURL https://qa.cas.insitehome.org/validate CASValidateURL https://qa.cas.insitehome.org/validate # CASTimeout: default 7200 # Description: This is the hard limit, in seconds, for a mod_auth_cas session (whether # it is idle or not). CASTimeout 28800 # CASValidateServer Off # Needs to be on but we can turn off for QA if nec. <Location "/arcgis/*"> # <Directory proxy:http://rome2:8399/> AuthType CAS Require valid-user CASScope /arcgis/ # Allow anonymous access: can you do it for multiple folders? # CASGateWay /test/ # CASGateWay /gmaps/ CASAuthNHeader CAS_AUTH_USER </Location> # </Directory> Proxy-related settings in httpd.conf: # Proxy Server directives. Uncomment the following lines to # enable the proxy server: # <IfModule mod_proxy.c> ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /gaz http://middleware.alexandria.ucsb.edu/gaz ProxyPassReverse /gaz http://middleware.alexandria.ucsb.edu/gaz # Rules for reverse proxy for ArcGIS Server # ProxyRequests Off ProxyPass /arcgis/services http://rome2:8399/arcgis/services ProxyPassReverse /arcgis/services http://rome2:8399/arcgis/services ProxyPass /arcgis/rest http://rome2:8399/arcgis/rest ProxyPassReverse /arcgis/rest http://rome2:8399/arcgis/rest ProxyPass /arcgis/sdk/rest http://rome2:8399/arcgis/sdk/rest ProxyPassReverse /arcgis/sdk/rest http://rome2:8399/arcgis/sdk/rest ProxyPass /arcgis/tokens http://rome2/arcgis/tokens ProxyPassReverse /arcgis/tokens http://rome2/arcgis/tokens ProxyPass /arcgis/server/proxyoutput/ http://rome2:8399/arcgis/server/proxyoutput/ ProxyPassReverse /arcgis/server/proxyoutput/ http://rome2:8399/arcgis/server/proxyoutput/ ProxyPass /arcgis/server/proxyjobs/ http://rome2:8399/arcgis/server/proxyjobs/ ProxyPassReverse /arcgis/server/proxyjobs/ http://rome2:8399/arcgis/server/proxyjobs/ ProxyPass /arcgis/server/proxycache/ http://rome2:8399/arcgis/server/proxycache/ ProxyPassReverse /arcgis/server/proxycache/ http://rome2:8399/arcgis/server/proxycache/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
