[cas-user] IMAP CASification

Ana Ribas Roca Thu, 27 May 2010 02:21:59 -0700

Hi,

I'd like to CASify IMAP but I'm having problems and I don't know why.
We have Cyrus with SASL and webmail Horde.
I'm CASified Horde without problems.
These are my configurations and the log files with the errors.



My versions:
Cyrus IMAP 2.3.7
SASL 2.1.22
Horde 3.3.5 (IMP 4.3.5)
Pam_cas-2.0.11-esup-2.0.4
phpCAS version 1.1.0
CAS 3.0.5

My configuration files:
-----------------------------------------------------------------------------------------------------------
[r...@draconis etc]# more /etc/pam.d/imap
#%PAM-1.0
auth      sufficient  /lib/security/pam_cas.so  
-simap://draconis.upc.es -f/etc/pam_cas.conf

-----------------------------------------------------------------------------------------------------------
[r...@draconis etc]# more /etc/pam_cas.conf
# host from CAS server. mandatory
host palpatine.upc.es

# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 8443

# uri to validate ticket. Default to /proxyValidate
uriValidate /cas/proxyValidate

# https or no. values on or off. Default to on.
ssl on

# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug on

# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
proxy https://draconis.upc.es/hordecas/casProxy.php

# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content  
the certificate
# If the certificate is trusted by an Certificate Autority, The file  
must content
#    certificate from high level CA
trusted_ca /etc/openldap/cacerts/CAALL5.pem

-----------------------------------------------------------------------------------------------------------
[r...@draconis etc]# ps -efa | grep -i sasl
root     26524     1  0 12:15 ?        00:00:00 /usr/sbin/saslauthd -m  
/var/run/saslauthd -a pam -c
root     26525 26524  0 12:15 ?        00:00:00 /usr/sbin/saslauthd -m  
/var/run/saslauthd -a pam -c
root     26526 26524  0 12:15 ?        00:00:00 /usr/sbin/saslauthd -m  
/var/run/saslauthd -a pam -c
root     26527 26524  0 12:15 ?        00:00:00 /usr/sbin/saslauthd -m  
/var/run/saslauthd -a pam -c
root     26528 26524  0 12:15 ?        00:00:00 /usr/sbin/saslauthd -m  
/var/run/saslauthd -a pam -c
root     26531 26136  0 12:15 pts/1    00:00:00 grep -i sasl
[r...@draconis etc]#

-----------------------------------------------------------------------------------------------------------
[r...@draconis etc]# cd /var/www/html/hordecas/imp/config/
[r...@draconis config]# more servers.php
...
$servers['cyrus'] = array(
     'name' => 'Correu K2',
     'server' => 'draconis.upc.es',
     'hordeauth' => false,
     'protocol' => 'imap/notls',
     'port' => 143,
     'realm' => '',
     'preferred' => 'selected',
     'admin' => array(
         'params' => array(
             'login' => 'cyrus',
             'password' => 'xxxxxxxx',
             // The 'userhierarchy' parameter defaults to 'user.'
             // If you are using a nonstandard hierarchy for personal
             // mailboxes, you will need to set it here.
             'userhierarchy' => 'user/',
             // Although these defaults are normally all that is required,
             // you can modify the following parameters from their default
             // values.
             'protocol' => 'imap/notls',
             'hostspec' => 'localhost',
             'port' => 143
         )
     ),
     'quota' => array(
         'driver' => 'imap',
         'params' => array(
             'hide_quota_when_unlimited' => true,
             'login' => 'cyrus',
             'password' => 'xxxxxxxx',
             'userhierarchy' => 'user/',
             'protocol' => 'imap/notls',
             'hostspec' => 'localhost',
             'port' => 143
         )
     ),
);

-----------------------------------------------------------------------------------------------------------
CAS server log file:

2010-05-25 15:31:27,461 INFO  
[org.jasig.cas.authentication.AuthenticationManagerImpl] -  
AuthenticationHandler:  
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully  
authenticated the user which provided the following credentials:  
ana.ribas
2010-05-25 15:31:27,461 DEBUG  
[org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver]
 - Creating SimplePrincipal for  
[ana.ribas]
2010-05-25 15:31:27,462 INFO  
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service  
ticket [ST-306-PvGhwE0T5ZyOLgC3PCbcs0kyBru5raEOQlo-20] for service  
[https://draconis.upc.es/hordecas/login.php] for user [ana.ribas]
2010-05-25 15:31:27,673 DEBUG  
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
 - Attempting to resolve credentials for  
https://draconis.upc.es/hordecas/casProxy.php
2010-05-25 15:31:27,758 INFO  
[org.jasig.cas.authentication.AuthenticationManagerImpl] -  
AuthenticationHandler:  
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
 successfully authenticated the user which provided the following credentials:  
https://draconis.upc.es/hordecas/casProxy.php
2010-05-25 15:31:27,971 INFO  
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service  
ticket [ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20] for service  
[imap://draconis.upc.es] for user  
[https://draconis.upc.es/hordecas/casProxy.php]
2010-05-25 15:31:37,544 INFO  
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service  
ticket [ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20] for service  
[imap://draconis.upc.es] for user  
[https://draconis.upc.es/hordecas/casProxy.php]

-----------------------------------------------------------------------------------------------------------
IMAP server auth.log:

[r...@draconis config]# tail -f /var/log/auth.log
May 25 15:31:28 draconis PAM_cas[26809]:   checking element  
https://draconis.upc.es/hordecas/casProxy.php
May 25 15:31:28 draconis PAM_cas[26809]: USER 'ana.ribas'  
AUTHENTICATED WITH CAS PT:ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20
May 25 15:31:28 draconis saslauthd[26809]: DEBUG: auth_pam:  
pam_acct_mgmt failed: Authentication failure
May 25 15:31:28 draconis saslauthd[26809]: do_auth         : auth  
failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam]  
[reason=PAM acct error]
  <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e  
<cas:authenticationFailure code='INVALID_TICKET'>                  
ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized   
        </cas:authenticationFailure> </cas:serviceResponse>
May 25 15:31:31 draconis PAM_cas[26810]:    for requestGET  
/cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap://draconis.upc.es
  
HTTP/1.0
May 25 15:31:31 draconis PAM_cas[26810]: authentication failure for  
user 'ana.ribas' : bad CAS ticket.  
PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20
May 25 15:31:31 draconis saslauthd[26810]: DEBUG: auth_pam:  
pam_authenticate failed: Permission denied
May 25 15:31:31 draconis saslauthd[26810]: do_auth         : auth  
failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam]  
[reason=PAM auth error]
  <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e  
<cas:authenticationFailure code='INVALID_TICKET'>                  
ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized   
        </cas:authenticationFailure> </cas:serviceResponse>
May 25 15:31:34 draconis PAM_cas[26811]:    for requestGET  
/cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap://draconis.upc.es
  
HTTP/1.0
May 25 15:31:34 draconis PAM_cas[26811]: authentication failure for  
user 'ana.ribas' : bad CAS ticket.  
PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20
May 25 15:31:34 draconis saslauthd[26811]: DEBUG: auth_pam:  
pam_authenticate failed: Permission denied
May 25 15:31:34 draconis saslauthd[26811]: do_auth         : auth  
failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam]  
[reason=PAM auth error]
May 25 15:31:37 draconis PAM_cas[26812]:   checking element  
https://draconis.upc.es/hordecas/casProxy.php
May 25 15:31:37 draconis PAM_cas[26812]: USER 'ana.ribas'  
AUTHENTICATED WITH CAS PT:ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20
May 25 15:31:37 draconis saslauthd[26812]: DEBUG: auth_pam:  
pam_acct_mgmt failed: Authentication failure
May 25 15:31:37 draconis saslauthd[26812]: do_auth         : auth  
failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam]  
[reason=PAM acct error]
  <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e  
<cas:authenticationFailure code='INVALID_TICKET'>                  
ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized   
        </cas:authenticationFailure> </cas:serviceResponse>
May 25 15:31:40 draconis PAM_cas[26811]:    for requestGET  
/cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap://draconis.upc.es
  
HTTP/1.0
May 25 15:31:40 draconis PAM_cas[26811]: authentication failure for  
user 'ana.ribas' : bad CAS ticket.  
PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20
May 25 15:31:40 draconis saslauthd[26811]: DEBUG: auth_pam:  
pam_authenticate failed: Permission denied
May 25 15:31:40 draconis saslauthd[26811]: do_auth         : auth  
failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam]  
[reason=PAM auth error]
  <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e  
<cas:authenticationFailure code='INVALID_TICKET'>                  
ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized   
        </cas:authenticationFailure> </cas:serviceResponse>
May 25 15:31:43 draconis PAM_cas[26813]:    for requestGET  
/cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap://draconis.upc.es
  
HTTP/1.0
May 25 15:31:43 draconis PAM_cas[26813]: authentication failure for  
user 'ana.ribas' : bad CAS ticket.  
PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20
May 25 15:31:43 draconis saslauthd[26813]: DEBUG: auth_pam:  
pam_authenticate failed: Permission denied
May 25 15:31:43 draconis saslauthd[26813]: do_auth         : auth  
failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam]  
[reason=PAM auth error]

-----------------------------------------------------------------------------------------------------------
IMAP server maillog:

[r...@draconis config]# tail -f /var/log/maillog
May 25 15:31:28 draconis master[26881]: about to exec  
/usr/lib/cyrus-imapd/imapd
May 25 15:31:28 draconis imap[26881]: executed
May 25 15:31:28 draconis imap[26880]: accepted connection
May 25 15:31:28 draconis imap[26880]: badlogin: draconis.upc.es  
[127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure:  
checkpass failed
May 25 15:31:34 draconis last message repeated 2 times
May 25 15:31:37 draconis imap[26437]: accepted connection
May 25 15:31:37 draconis imap[26437]: badlogin: draconis.upc.es  
[127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure:  
checkpass failed
May 25 15:31:43 draconis last message repeated 2 times


Someone can help me, please?
I don't know what more to do.
Thank you in advance!!

PD: Sorry for my bad english


-- 
Anna Ribas Roca
Projectes Tecnològics
UPCnet, Universitat Politècnica de Catalunya
Telèfon: 93.405.44.26




----------------------------------------------------------------
*** Si us plau, no m'imprimeixis. Vull seguir sent digital ***
*** Por favor, no me imprimas. Quiero seguir siendo digital ***
*** Please, don't print me. I want to remain digital ***

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] IMAP CASification

Reply via email to