I'm having trouble following the logs but I would check either of these: 1. Make sure you're only validating a ticket once (they cannot be used twice) 2. Make sure the service ids match (I see you're validating using imap://.... but I don't see any tickets issued for that unless I missed it).
Cheers, Scott On Thu, May 27, 2010 at 5:21 AM, Ana Ribas Roca <[email protected]> wrote: > Hi, > > I'd like to CASify IMAP but I'm having problems and I don't know why. > We have Cyrus with SASL and webmail Horde. > I'm CASified Horde without problems. > These are my configurations and the log files with the errors. > > > My versions: > Cyrus IMAP 2.3.7 > SASL 2.1.22 > Horde 3.3.5 (IMP 4.3.5) > Pam_cas-2.0.11-esup-2.0.4 > phpCAS version 1.1.0 > CAS 3.0.5 > > My configuration files: > > ----------------------------------------------------------------------------------------------------------- > [r...@draconis etc]# more /etc/pam.d/imap > #%PAM-1.0 > auth sufficient /lib/security/pam_cas.so > -simap://draconis.upc.es -f/etc/pam_cas.conf > > > ----------------------------------------------------------------------------------------------------------- > [r...@draconis etc]# more /etc/pam_cas.conf > # host from CAS server. mandatory > host palpatine.upc.es > > # port from CAS server. Default to 80 or 443, depends from ssl instruction > port 8443 > > # uri to validate ticket. Default to /proxyValidate > uriValidate /cas/proxyValidate > > # https or no. values on or off. Default to on. > ssl on > > # debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off > debug on > > # proxy or proxies who deliver Proxy Ticket. > # If no proxy, pam_cas doesn't control it > # It may be several proxy instructions > proxy https://draconis.upc.es/hordecas/casProxy.php > > # trusted_ca. mandatory if ssl on. > # It a file in pem format. It can contents several certificates > # If the CAS server certificate is auto-signed, the file must content > the certificate > # If the certificate is trusted by an Certificate Autority, The file > must content > # certificate from high level CA > trusted_ca /etc/openldap/cacerts/CAALL5.pem > > > ----------------------------------------------------------------------------------------------------------- > [r...@draconis etc]# ps -efa | grep -i sasl > root 26524 1 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m > /var/run/saslauthd -a pam -c > root 26525 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m > /var/run/saslauthd -a pam -c > root 26526 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m > /var/run/saslauthd -a pam -c > root 26527 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m > /var/run/saslauthd -a pam -c > root 26528 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m > /var/run/saslauthd -a pam -c > root 26531 26136 0 12:15 pts/1 00:00:00 grep -i sasl > [r...@draconis etc]# > > > ----------------------------------------------------------------------------------------------------------- > [r...@draconis etc]# cd /var/www/html/hordecas/imp/config/ > [r...@draconis config]# more servers.php > ... > $servers['cyrus'] = array( > 'name' => 'Correu K2', > 'server' => 'draconis.upc.es', > 'hordeauth' => false, > 'protocol' => 'imap/notls', > 'port' => 143, > 'realm' => '', > 'preferred' => 'selected', > 'admin' => array( > 'params' => array( > 'login' => 'cyrus', > 'password' => 'xxxxxxxx', > // The 'userhierarchy' parameter defaults to 'user.' > // If you are using a nonstandard hierarchy for personal > // mailboxes, you will need to set it here. > 'userhierarchy' => 'user/', > // Although these defaults are normally all that is required, > // you can modify the following parameters from their default > // values. > 'protocol' => 'imap/notls', > 'hostspec' => 'localhost', > 'port' => 143 > ) > ), > 'quota' => array( > 'driver' => 'imap', > 'params' => array( > 'hide_quota_when_unlimited' => true, > 'login' => 'cyrus', > 'password' => 'xxxxxxxx', > 'userhierarchy' => 'user/', > 'protocol' => 'imap/notls', > 'hostspec' => 'localhost', > 'port' => 143 > ) > ), > ); > > > ----------------------------------------------------------------------------------------------------------- > CAS server log file: > > 2010-05-25 15:31:27,461 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > authenticated the user which provided the following credentials: > ana.ribas > 2010-05-25 15:31:27,461 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - Creating SimplePrincipal for > [ana.ribas] > 2010-05-25 15:31:27,462 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service > ticket [ST-306-PvGhwE0T5ZyOLgC3PCbcs0kyBru5raEOQlo-20] for service > [https://draconis.upc.es/hordecas/login.php] for user [ana.ribas] > 2010-05-25 15:31:27,673 DEBUG > [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] > - Attempting to resolve credentials for > https://draconis.upc.es/hordecas/casProxy.php > 2010-05-25 15:31:27,758 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > successfully authenticated the user which provided the following > credentials: > https://draconis.upc.es/hordecas/casProxy.php > 2010-05-25 15:31:27,971 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service > ticket [ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20] for service > [imap://draconis.upc.es] for user > [https://draconis.upc.es/hordecas/casProxy.php] > 2010-05-25 15:31:37,544 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service > ticket [ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20] for service > [imap://draconis.upc.es] for user > [https://draconis.upc.es/hordecas/casProxy.php] > > > ----------------------------------------------------------------------------------------------------------- > IMAP server auth.log: > > [r...@draconis config]# tail -f /var/log/auth.log > May 25 15:31:28 draconis PAM_cas[26809]: checking element > https://draconis.upc.es/hordecas/casProxy.php > May 25 15:31:28 draconis PAM_cas[26809]: USER 'ana.ribas' > AUTHENTICATED WITH CAS PT:ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 > May 25 15:31:28 draconis saslauthd[26809]: DEBUG: auth_pam: > pam_acct_mgmt failed: Authentication failure > May 25 15:31:28 draconis saslauthd[26809]: do_auth : auth > failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] > [reason=PAM acct error] > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e > <cas:authenticationFailure code='INVALID_TICKET'> > ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized > </cas:authenticationFailure> </cas:serviceResponse> > May 25 15:31:31 draconis PAM_cas[26810]: for requestGET > > /cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap:// > draconis.upc.es > HTTP/1.0 > May 25 15:31:31 draconis PAM_cas[26810]: authentication failure for > user 'ana.ribas' : bad CAS ticket. > PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 > May 25 15:31:31 draconis saslauthd[26810]: DEBUG: auth_pam: > pam_authenticate failed: Permission denied > May 25 15:31:31 draconis saslauthd[26810]: do_auth : auth > failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] > [reason=PAM auth error] > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e > <cas:authenticationFailure code='INVALID_TICKET'> > ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized > </cas:authenticationFailure> </cas:serviceResponse> > May 25 15:31:34 draconis PAM_cas[26811]: for requestGET > > /cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap:// > draconis.upc.es > HTTP/1.0 > May 25 15:31:34 draconis PAM_cas[26811]: authentication failure for > user 'ana.ribas' : bad CAS ticket. > PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 > May 25 15:31:34 draconis saslauthd[26811]: DEBUG: auth_pam: > pam_authenticate failed: Permission denied > May 25 15:31:34 draconis saslauthd[26811]: do_auth : auth > failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] > [reason=PAM auth error] > May 25 15:31:37 draconis PAM_cas[26812]: checking element > https://draconis.upc.es/hordecas/casProxy.php > May 25 15:31:37 draconis PAM_cas[26812]: USER 'ana.ribas' > AUTHENTICATED WITH CAS PT:ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 > May 25 15:31:37 draconis saslauthd[26812]: DEBUG: auth_pam: > pam_acct_mgmt failed: Authentication failure > May 25 15:31:37 draconis saslauthd[26812]: do_auth : auth > failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] > [reason=PAM acct error] > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e > <cas:authenticationFailure code='INVALID_TICKET'> > ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized > </cas:authenticationFailure> </cas:serviceResponse> > May 25 15:31:40 draconis PAM_cas[26811]: for requestGET > > /cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap:// > draconis.upc.es > HTTP/1.0 > May 25 15:31:40 draconis PAM_cas[26811]: authentication failure for > user 'ana.ribas' : bad CAS ticket. > PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 > May 25 15:31:40 draconis saslauthd[26811]: DEBUG: auth_pam: > pam_authenticate failed: Permission denied > May 25 15:31:40 draconis saslauthd[26811]: do_auth : auth > failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] > [reason=PAM auth error] > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e > <cas:authenticationFailure code='INVALID_TICKET'> > ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized > </cas:authenticationFailure> </cas:serviceResponse> > May 25 15:31:43 draconis PAM_cas[26813]: for requestGET > > /cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap:// > draconis.upc.es > HTTP/1.0 > May 25 15:31:43 draconis PAM_cas[26813]: authentication failure for > user 'ana.ribas' : bad CAS ticket. > PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 > May 25 15:31:43 draconis saslauthd[26813]: DEBUG: auth_pam: > pam_authenticate failed: Permission denied > May 25 15:31:43 draconis saslauthd[26813]: do_auth : auth > failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] > [reason=PAM auth error] > > > ----------------------------------------------------------------------------------------------------------- > IMAP server maillog: > > [r...@draconis config]# tail -f /var/log/maillog > May 25 15:31:28 draconis master[26881]: about to exec > /usr/lib/cyrus-imapd/imapd > May 25 15:31:28 draconis imap[26881]: executed > May 25 15:31:28 draconis imap[26880]: accepted connection > May 25 15:31:28 draconis imap[26880]: badlogin: draconis.upc.es > [127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure: > checkpass failed > May 25 15:31:34 draconis last message repeated 2 times > May 25 15:31:37 draconis imap[26437]: accepted connection > May 25 15:31:37 draconis imap[26437]: badlogin: draconis.upc.es > [127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure: > checkpass failed > May 25 15:31:43 draconis last message repeated 2 times > > > Someone can help me, please? > I don't know what more to do. > Thank you in advance!! > > PD: Sorry for my bad english > > > -- > Anna Ribas Roca > Projectes Tecnològics > UPCnet, Universitat Politècnica de Catalunya > Telèfon: 93.405.44.26 > > > > > ---------------------------------------------------------------- > *** Si us plau, no m'imprimeixis. Vull seguir sent digital *** > *** Por favor, no me imprimas. Quiero seguir siendo digital *** > *** Please, don't print me. I want to remain digital *** > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
