Hi,first off please use the current version of phpCAS. Right now it's 1.1.1. The version fixes a few issues. I guess they issues are not relevant in this case but just to be safe.
To validate that the whole proxy authentication is working with your setup please use a simple example code before trying the integration into another application. As a simple example please have a look at the proxy examples http://www.ja-sig.org/wiki/display/CASC/phpCAS+examples#phpCASexamples-ACASproxy and also have a look at the function phpCAS::serviceMail()
http://www.ja-sig.org/downloads/cas-clients/php/1.1.1/docs/api/group__publicServices.html#gac56f9919a058a90c9fef61a07e49db8dReplacing the serviceWeb() calls with a serviceMail() should be the only thing you need to adapt in the example. But i don't know for sure since i have not done imap proxying yet.
Please also include the phpcas debug log if you have further problems. Regards, Joachim Am 27.05.2010 11:21, schrieb Ana Ribas Roca:
Hi, I'd like to CASify IMAP but I'm having problems and I don't know why. We have Cyrus with SASL and webmail Horde. I'm CASified Horde without problems. These are my configurations and the log files with the errors. My versions: Cyrus IMAP 2.3.7 SASL 2.1.22 Horde 3.3.5 (IMP 4.3.5) Pam_cas-2.0.11-esup-2.0.4 phpCAS version 1.1.0 CAS 3.0.5 My configuration files: ----------------------------------------------------------------------------------------------------------- [r...@draconis etc]# more /etc/pam.d/imap #%PAM-1.0 auth sufficient /lib/security/pam_cas.so -simap://draconis.upc.es -f/etc/pam_cas.conf ----------------------------------------------------------------------------------------------------------- [r...@draconis etc]# more /etc/pam_cas.conf # host from CAS server. mandatory host palpatine.upc.es # port from CAS server. Default to 80 or 443, depends from ssl instruction port 8443 # uri to validate ticket. Default to /proxyValidate uriValidate /cas/proxyValidate # https or no. values on or off. Default to on. ssl on # debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off debug on # proxy or proxies who deliver Proxy Ticket. # If no proxy, pam_cas doesn't control it # It may be several proxy instructions proxy https://draconis.upc.es/hordecas/casProxy.php # trusted_ca. mandatory if ssl on. # It a file in pem format. It can contents several certificates # If the CAS server certificate is auto-signed, the file must content the certificate # If the certificate is trusted by an Certificate Autority, The file must content # certificate from high level CA trusted_ca /etc/openldap/cacerts/CAALL5.pem ----------------------------------------------------------------------------------------------------------- [r...@draconis etc]# ps -efa | grep -i sasl root 26524 1 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -c root 26525 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -c root 26526 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -c root 26527 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -c root 26528 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -c root 26531 26136 0 12:15 pts/1 00:00:00 grep -i sasl [r...@draconis etc]# ----------------------------------------------------------------------------------------------------------- [r...@draconis etc]# cd /var/www/html/hordecas/imp/config/ [r...@draconis config]# more servers.php ... $servers['cyrus'] = array( 'name' => 'Correu K2', 'server' => 'draconis.upc.es', 'hordeauth' => false, 'protocol' => 'imap/notls', 'port' => 143, 'realm' => '', 'preferred' => 'selected', 'admin' => array( 'params' => array( 'login' => 'cyrus', 'password' => 'xxxxxxxx', // The 'userhierarchy' parameter defaults to 'user.' // If you are using a nonstandard hierarchy for personal // mailboxes, you will need to set it here. 'userhierarchy' => 'user/', // Although these defaults are normally all that is required, // you can modify the following parameters from their default // values. 'protocol' => 'imap/notls', 'hostspec' => 'localhost', 'port' => 143 ) ), 'quota' => array( 'driver' => 'imap', 'params' => array( 'hide_quota_when_unlimited' => true, 'login' => 'cyrus', 'password' => 'xxxxxxxx', 'userhierarchy' => 'user/', 'protocol' => 'imap/notls', 'hostspec' => 'localhost', 'port' => 143 ) ), ); ----------------------------------------------------------------------------------------------------------- CAS server log file: 2010-05-25 15:31:27,461 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: ana.ribas 2010-05-25 15:31:27,461 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Creating SimplePrincipal for [ana.ribas] 2010-05-25 15:31:27,462 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-306-PvGhwE0T5ZyOLgC3PCbcs0kyBru5raEOQlo-20] for service [https://draconis.upc.es/hordecas/login.php] for user [ana.ribas] 2010-05-25 15:31:27,673 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - Attempting to resolve credentials for https://draconis.upc.es/hordecas/casProxy.php 2010-05-25 15:31:27,758 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: https://draconis.upc.es/hordecas/casProxy.php 2010-05-25 15:31:27,971 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20] for service [imap://draconis.upc.es] for user [https://draconis.upc.es/hordecas/casProxy.php] 2010-05-25 15:31:37,544 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20] for service [imap://draconis.upc.es] for user [https://draconis.upc.es/hordecas/casProxy.php] ----------------------------------------------------------------------------------------------------------- IMAP server auth.log: [r...@draconis config]# tail -f /var/log/auth.log May 25 15:31:28 draconis PAM_cas[26809]: checking element https://draconis.upc.es/hordecas/casProxy.php May 25 15:31:28 draconis PAM_cas[26809]: USER 'ana.ribas' AUTHENTICATED WITH CAS PT:ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 May 25 15:31:28 draconis saslauthd[26809]: DEBUG: auth_pam: pam_acct_mgmt failed: Authentication failure May 25 15:31:28 draconis saslauthd[26809]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM acct error] <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e <cas:authenticationFailure code='INVALID_TICKET'> ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized </cas:authenticationFailure> </cas:serviceResponse> May 25 15:31:31 draconis PAM_cas[26810]: for requestGET /cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap://draconis.upc.es HTTP/1.0 May 25 15:31:31 draconis PAM_cas[26810]: authentication failure for user 'ana.ribas' : bad CAS ticket. PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 May 25 15:31:31 draconis saslauthd[26810]: DEBUG: auth_pam: pam_authenticate failed: Permission denied May 25 15:31:31 draconis saslauthd[26810]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e <cas:authenticationFailure code='INVALID_TICKET'> ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized </cas:authenticationFailure> </cas:serviceResponse> May 25 15:31:34 draconis PAM_cas[26811]: for requestGET /cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap://draconis.upc.es HTTP/1.0 May 25 15:31:34 draconis PAM_cas[26811]: authentication failure for user 'ana.ribas' : bad CAS ticket. PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 May 25 15:31:34 draconis saslauthd[26811]: DEBUG: auth_pam: pam_authenticate failed: Permission denied May 25 15:31:34 draconis saslauthd[26811]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] May 25 15:31:37 draconis PAM_cas[26812]: checking element https://draconis.upc.es/hordecas/casProxy.php May 25 15:31:37 draconis PAM_cas[26812]: USER 'ana.ribas' AUTHENTICATED WITH CAS PT:ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 May 25 15:31:37 draconis saslauthd[26812]: DEBUG: auth_pam: pam_acct_mgmt failed: Authentication failure May 25 15:31:37 draconis saslauthd[26812]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM acct error] <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e <cas:authenticationFailure code='INVALID_TICKET'> ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized </cas:authenticationFailure> </cas:serviceResponse> May 25 15:31:40 draconis PAM_cas[26811]: for requestGET /cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap://draconis.upc.es HTTP/1.0 May 25 15:31:40 draconis PAM_cas[26811]: authentication failure for user 'ana.ribas' : bad CAS ticket. PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 May 25 15:31:40 draconis saslauthd[26811]: DEBUG: auth_pam: pam_authenticate failed: Permission denied May 25 15:31:40 draconis saslauthd[26811]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e <cas:authenticationFailure code='INVALID_TICKET'> ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized </cas:authenticationFailure> </cas:serviceResponse> May 25 15:31:43 draconis PAM_cas[26813]: for requestGET /cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap://draconis.upc.es HTTP/1.0 May 25 15:31:43 draconis PAM_cas[26813]: authentication failure for user 'ana.ribas' : bad CAS ticket. PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 May 25 15:31:43 draconis saslauthd[26813]: DEBUG: auth_pam: pam_authenticate failed: Permission denied May 25 15:31:43 draconis saslauthd[26813]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] ----------------------------------------------------------------------------------------------------------- IMAP server maillog: [r...@draconis config]# tail -f /var/log/maillog May 25 15:31:28 draconis master[26881]: about to exec /usr/lib/cyrus-imapd/imapd May 25 15:31:28 draconis imap[26881]: executed May 25 15:31:28 draconis imap[26880]: accepted connection May 25 15:31:28 draconis imap[26880]: badlogin: draconis.upc.es [127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure: checkpass failed May 25 15:31:34 draconis last message repeated 2 times May 25 15:31:37 draconis imap[26437]: accepted connection May 25 15:31:37 draconis imap[26437]: badlogin: draconis.upc.es [127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure: checkpass failed May 25 15:31:43 draconis last message repeated 2 times Someone can help me, please? I don't know what more to do. Thank you in advance!! PD: Sorry for my bad english
-- Joachim Fritschi Hochschulrechenzentrum (HRZ) L1|01 Raum 248 Petersenstr. 30 64287 Darmstadt Tel. +49 6151 16-5638 Fax. +49 6151 16-3050 E-Mail: [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
