Hi, Disclaimer: I hope this is the right list to discuss mod_auth_cas; if not, please tell me (or even better, please tell me where this should be discussed).
While I was used to mod_cas, I recently installed a new web server, and decided to gice a try to the newer mod_auth_cas. I grabbed version 1.0.8 with svn, and experienced a few problems with it: 1) My cas server uses a certificate signed by an intermediate CA, which is itself signed by a root CA. Mod_auth_cas 1.0.8 fails to verify this certificate. Nuking the corresponding test (with comment "this may be redundant, since we require peer verification to perform the handshake") in check_cert_cn solves the problem. I saw that this test was also nuked in trunk, but not (yet) in any released version. 2) The CASScope option does not work if there is also a CASGateway (or a CASRenew) option. Reading the code, I think the login in the getCASScope function is wrong, and CASGateway (or CASRenew) should only be considered for the cookie's path if the requested path is below CASGateway (or CASRenew). 3) The server where mod_auth_cas is used is hidden behind another server that serves as a reverse proxy. Then mod_auth_cas redirects to the real server, which is firewalled. I added a new "CASRootProxiedAs" option to mod_auth_cas, to make mod_auth_cas redirect to (and request tickets for) the frontend server. Note that I patched mod_auth_cas 1.0.8 for those 3 points. If someone is interested by my patches, I'll be happy to port them to current trunk (except the first one that is already fixed in trunk). Regards, -- Nicolas Boullis Ecole Centrale Paris -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
