Hi, I'm testing the casimap.php application. All seems correct, but when I arrive to the last step "Ouvrir une connexion Imap avec le PT courant" I've the same problem:
Erreur d'ouverture de connexion IMAP. AVEC : - USER : ana.ribas - PT : ST-438-YT7FmbBuLlRWvT2Zbdy9dkZ0wY6ACA4Piam-20 PARTIE CAS PGT obtenu : PGT courant : TGT-246-YJZYECcEbEgHtnVhDvOr5AjUsQEr3iDkOcU-50 PT obtenu : PT courant : ST-438-YT7FmbBuLlRWvT2Zbdy9dkZ0wY6ACA4Piam-20 https://palpatine.upc.es:8443/cas/proxyValidate?ticket=ST-438-YT7FmbBuLlRWvT2Zbdy9dkZ0wY6ACA4Piam-20&service=imap://draconis.upc.es These are my log files: auth.log Jun 1 11:14:19 draconis saslauthd[21440]: DEBUG: auth_pam: pam_authenticate failed: Permission denied Jun 1 11:14:19 draconis saslauthd[21440]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Jun 1 11:14:23 draconis saslauthd[21437]: DEBUG: auth_pam: pam_authenticate failed: Permission denied Jun 1 11:14:23 draconis saslauthd[21437]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Jun 1 11:14:26 draconis saslauthd[21440]: DEBUG: auth_pam: pam_authenticate failed: Permission denied Jun 1 11:14:26 draconis saslauthd[21440]: do_auth : auth failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] maillog: Jun 1 11:14:19 draconis master[21462]: about to exec /usr/lib/cyrus-imapd/imapd Jun 1 11:14:19 draconis imap[21462]: executed Jun 1 11:14:19 draconis imap[21421]: accepted connection Jun 1 11:14:19 draconis imap[21421]: skiplist: recovered /var/lib/imap/tls_sessions.db (0 records, 5736 bytes) in 0 seconds Jun 1 11:14:19 draconis imap[21421]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jun 1 11:14:19 draconis imap[21421]: badlogin: draconis.upc.es [127.0.0.1] PLAIN [SASL(-13): authentication failure: Password verification failed] How can I continue? -- Anna Ribas Roca Quoting Scott Battaglia <[email protected]>: > I'm having trouble following the logs but I would check either of these: > > 1. Make sure you're only validating a ticket once (they cannot be used > twice) > 2. Make sure the service ids match (I see you're validating using > imap://.... but I don't see any tickets issued for that unless I missed it). > > Cheers, > Scott > > > On Thu, May 27, 2010 at 5:21 AM, Ana Ribas Roca <[email protected]> wrote: > >> Hi, >> >> I'd like to CASify IMAP but I'm having problems and I don't know why. >> We have Cyrus with SASL and webmail Horde. >> I'm CASified Horde without problems. >> These are my configurations and the log files with the errors. >> >> >> My versions: >> Cyrus IMAP 2.3.7 >> SASL 2.1.22 >> Horde 3.3.5 (IMP 4.3.5) >> Pam_cas-2.0.11-esup-2.0.4 >> phpCAS version 1.1.0 >> CAS 3.0.5 >> >> My configuration files: >> >> ----------------------------------------------------------------------------------------------------------- >> [r...@draconis etc]# more /etc/pam.d/imap >> #%PAM-1.0 >> auth sufficient /lib/security/pam_cas.so >> -simap://draconis.upc.es -f/etc/pam_cas.conf >> >> >> ----------------------------------------------------------------------------------------------------------- >> [r...@draconis etc]# more /etc/pam_cas.conf >> # host from CAS server. mandatory >> host palpatine.upc.es >> >> # port from CAS server. Default to 80 or 443, depends from ssl instruction >> port 8443 >> >> # uri to validate ticket. Default to /proxyValidate >> uriValidate /cas/proxyValidate >> >> # https or no. values on or off. Default to on. >> ssl on >> >> # debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off >> debug on >> >> # proxy or proxies who deliver Proxy Ticket. >> # If no proxy, pam_cas doesn't control it >> # It may be several proxy instructions >> proxy https://draconis.upc.es/hordecas/casProxy.php >> >> # trusted_ca. mandatory if ssl on. >> # It a file in pem format. It can contents several certificates >> # If the CAS server certificate is auto-signed, the file must content >> the certificate >> # If the certificate is trusted by an Certificate Autority, The file >> must content >> # certificate from high level CA >> trusted_ca /etc/openldap/cacerts/CAALL5.pem >> >> >> ----------------------------------------------------------------------------------------------------------- >> [r...@draconis etc]# ps -efa | grep -i sasl >> root 26524 1 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m >> /var/run/saslauthd -a pam -c >> root 26525 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m >> /var/run/saslauthd -a pam -c >> root 26526 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m >> /var/run/saslauthd -a pam -c >> root 26527 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m >> /var/run/saslauthd -a pam -c >> root 26528 26524 0 12:15 ? 00:00:00 /usr/sbin/saslauthd -m >> /var/run/saslauthd -a pam -c >> root 26531 26136 0 12:15 pts/1 00:00:00 grep -i sasl >> [r...@draconis etc]# >> >> >> ----------------------------------------------------------------------------------------------------------- >> [r...@draconis etc]# cd /var/www/html/hordecas/imp/config/ >> [r...@draconis config]# more servers.php >> ... >> $servers['cyrus'] = array( >> 'name' => 'Correu K2', >> 'server' => 'draconis.upc.es', >> 'hordeauth' => false, >> 'protocol' => 'imap/notls', >> 'port' => 143, >> 'realm' => '', >> 'preferred' => 'selected', >> 'admin' => array( >> 'params' => array( >> 'login' => 'cyrus', >> 'password' => 'xxxxxxxx', >> // The 'userhierarchy' parameter defaults to 'user.' >> // If you are using a nonstandard hierarchy for personal >> // mailboxes, you will need to set it here. >> 'userhierarchy' => 'user/', >> // Although these defaults are normally all that is required, >> // you can modify the following parameters from their default >> // values. >> 'protocol' => 'imap/notls', >> 'hostspec' => 'localhost', >> 'port' => 143 >> ) >> ), >> 'quota' => array( >> 'driver' => 'imap', >> 'params' => array( >> 'hide_quota_when_unlimited' => true, >> 'login' => 'cyrus', >> 'password' => 'xxxxxxxx', >> 'userhierarchy' => 'user/', >> 'protocol' => 'imap/notls', >> 'hostspec' => 'localhost', >> 'port' => 143 >> ) >> ), >> ); >> >> >> ----------------------------------------------------------------------------------------------------------- >> CAS server log file: >> >> 2010-05-25 15:31:27,461 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> AuthenticationHandler: >> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully >> authenticated the user which provided the following credentials: >> ana.ribas >> 2010-05-25 15:31:27,461 DEBUG >> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >> - Creating SimplePrincipal for >> [ana.ribas] >> 2010-05-25 15:31:27,462 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >> ticket [ST-306-PvGhwE0T5ZyOLgC3PCbcs0kyBru5raEOQlo-20] for service >> [https://draconis.upc.es/hordecas/login.php] for user [ana.ribas] >> 2010-05-25 15:31:27,673 DEBUG >> [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] >> - Attempting to resolve credentials for >> https://draconis.upc.es/hordecas/casProxy.php >> 2010-05-25 15:31:27,758 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> AuthenticationHandler: >> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler >> successfully authenticated the user which provided the following >> credentials: >> https://draconis.upc.es/hordecas/casProxy.php >> 2010-05-25 15:31:27,971 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >> ticket [ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20] for service >> [imap://draconis.upc.es] for user >> [https://draconis.upc.es/hordecas/casProxy.php] >> 2010-05-25 15:31:37,544 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >> ticket [ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20] for service >> [imap://draconis.upc.es] for user >> [https://draconis.upc.es/hordecas/casProxy.php] >> >> >> ----------------------------------------------------------------------------------------------------------- >> IMAP server auth.log: >> >> [r...@draconis config]# tail -f /var/log/auth.log >> May 25 15:31:28 draconis PAM_cas[26809]: checking element >> https://draconis.upc.es/hordecas/casProxy.php >> May 25 15:31:28 draconis PAM_cas[26809]: USER 'ana.ribas' >> AUTHENTICATED WITH CAS PT:ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 >> May 25 15:31:28 draconis saslauthd[26809]: DEBUG: auth_pam: >> pam_acct_mgmt failed: Authentication failure >> May 25 15:31:28 draconis saslauthd[26809]: do_auth : auth >> failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] >> [reason=PAM acct error] >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e >> <cas:authenticationFailure code='INVALID_TICKET'> >> ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized >> </cas:authenticationFailure> </cas:serviceResponse> >> May 25 15:31:31 draconis PAM_cas[26810]: for requestGET >> >> /cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap:// >> draconis.upc.es >> HTTP/1.0 >> May 25 15:31:31 draconis PAM_cas[26810]: authentication failure for >> user 'ana.ribas' : bad CAS ticket. >> PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 >> May 25 15:31:31 draconis saslauthd[26810]: DEBUG: auth_pam: >> pam_authenticate failed: Permission denied >> May 25 15:31:31 draconis saslauthd[26810]: do_auth : auth >> failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] >> [reason=PAM auth error] >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e >> <cas:authenticationFailure code='INVALID_TICKET'> >> ticket 'ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20' not recognized >> </cas:authenticationFailure> </cas:serviceResponse> >> May 25 15:31:34 draconis PAM_cas[26811]: for requestGET >> >> /cas/proxyValidate?ticket=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20&service=imap:// >> draconis.upc.es >> HTTP/1.0 >> May 25 15:31:34 draconis PAM_cas[26811]: authentication failure for >> user 'ana.ribas' : bad CAS ticket. >> PT=ST-307-SkQRQYMhU4hprfdcZVje92h3THWRsekd4Xd-20 >> May 25 15:31:34 draconis saslauthd[26811]: DEBUG: auth_pam: >> pam_authenticate failed: Permission denied >> May 25 15:31:34 draconis saslauthd[26811]: do_auth : auth >> failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] >> [reason=PAM auth error] >> May 25 15:31:37 draconis PAM_cas[26812]: checking element >> https://draconis.upc.es/hordecas/casProxy.php >> May 25 15:31:37 draconis PAM_cas[26812]: USER 'ana.ribas' >> AUTHENTICATED WITH CAS PT:ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 >> May 25 15:31:37 draconis saslauthd[26812]: DEBUG: auth_pam: >> pam_acct_mgmt failed: Authentication failure >> May 25 15:31:37 draconis saslauthd[26812]: do_auth : auth >> failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] >> [reason=PAM acct error] >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e >> <cas:authenticationFailure code='INVALID_TICKET'> >> ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized >> </cas:authenticationFailure> </cas:serviceResponse> >> May 25 15:31:40 draconis PAM_cas[26811]: for requestGET >> >> /cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap:// >> draconis.upc.es >> HTTP/1.0 >> May 25 15:31:40 draconis PAM_cas[26811]: authentication failure for >> user 'ana.ribas' : bad CAS ticket. >> PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 >> May 25 15:31:40 draconis saslauthd[26811]: DEBUG: auth_pam: >> pam_authenticate failed: Permission denied >> May 25 15:31:40 draconis saslauthd[26811]: do_auth : auth >> failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] >> [reason=PAM auth error] >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> e >> <cas:authenticationFailure code='INVALID_TICKET'> >> ticket 'ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20' not recognized >> </cas:authenticationFailure> </cas:serviceResponse> >> May 25 15:31:43 draconis PAM_cas[26813]: for requestGET >> >> /cas/proxyValidate?ticket=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20&service=imap:// >> draconis.upc.es >> HTTP/1.0 >> May 25 15:31:43 draconis PAM_cas[26813]: authentication failure for >> user 'ana.ribas' : bad CAS ticket. >> PT=ST-308-MXNVo0W2zWNWn551buBskYqwmvclaUkJyqP-20 >> May 25 15:31:43 draconis saslauthd[26813]: DEBUG: auth_pam: >> pam_authenticate failed: Permission denied >> May 25 15:31:43 draconis saslauthd[26813]: do_auth : auth >> failure: [user=ana.ribas] [service=imap] [realm=] [mech=pam] >> [reason=PAM auth error] >> >> >> ----------------------------------------------------------------------------------------------------------- >> IMAP server maillog: >> >> [r...@draconis config]# tail -f /var/log/maillog >> May 25 15:31:28 draconis master[26881]: about to exec >> /usr/lib/cyrus-imapd/imapd >> May 25 15:31:28 draconis imap[26881]: executed >> May 25 15:31:28 draconis imap[26880]: accepted connection >> May 25 15:31:28 draconis imap[26880]: badlogin: draconis.upc.es >> [127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure: >> checkpass failed >> May 25 15:31:34 draconis last message repeated 2 times >> May 25 15:31:37 draconis imap[26437]: accepted connection >> May 25 15:31:37 draconis imap[26437]: badlogin: draconis.upc.es >> [127.0.0.1] plaintext ana.ribas SASL(-13): authentication failure: >> checkpass failed >> May 25 15:31:43 draconis last message repeated 2 times >> >> >> Someone can help me, please? >> I don't know what more to do. >> Thank you in advance!! >> >> PD: Sorry for my bad english >> >> >> -- >> Anna Ribas Roca >> Projectes Tecnològics >> UPCnet, Universitat Politècnica de Catalunya >> Telèfon: 93.405.44.26 >> >> >> >> >> ---------------------------------------------------------------- >> *** Si us plau, no m'imprimeixis. Vull seguir sent digital *** >> *** Por favor, no me imprimas. Quiero seguir siendo digital *** >> *** Please, don't print me. I want to remain digital *** >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user ---------------------------------------------------------------- *** Si us plau, no m'imprimeixis. Vull seguir sent digital *** *** Por favor, no me imprimas. Quiero seguir siendo digital *** *** Please, don't print me. I want to remain digital *** -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
