I need some help.  It seems my Apache config is able to defer to our campus
CAS log in service but the process looks to fail validating the ticket or
user.  I'll show my work.  I thank anyone in advance for help -- I'm hoping
I've simply missed some configuration step or value.

I've been able to clone the git for mod_auth_cas, build, and install to our
Apache 2.2.15 server on RHEL6 without much fuss.  Then:

* Create /etc/httpd/conf.d/cas.conf containing:

LoadModule          auth_cas_module modules/mod_auth_cas.so
CASDebug            On
CASCookiePath       /var/cache/mod_auth_cas/
CASCertificatePath  /etc/pki/tls/certs
CASLoginURL         https://cas.iu.edu/cas/login
CASValidateURL      https://cas.iu.edu/cas/serviceValidate
CASProxyValidateURL https://cas.iu.edu/cas/proxyValidate

* Make a place for CASCookiePath and give it a sensible SELINUX context:

mkdir /var/cache/mod_auth_cas
chown -R apache:apache /var/cache/mod_auth_cas
chcon -R httpd_cache_t /var/cache/mod_auto_cas

* Restart Apache:

server httpd restart

* Create a directory where I can test protecting static content and give it
an .htaccess and a simple html file:

.htaccess is:

AuthType CAS
require valid-user

* Test the address.  I'm prompted by our campus CAS log in page but am left
with a 302 error, and a URL showing the page I want plus the ticket.  The
error_log shows not that much, I think this is key:

Validation response: <cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>\n  <cas:authenticationFailure
code='INVALID_REQUEST'>\n    'service', 'ticket' and 'casurl' parameters
are all required\n  </cas:authenticationFailure>\n</cas:serviceResponse>\n

I've written our campus Identity Management group to verify that my address
for CASValidateURL is correct, but I'm guessing that it is else I might
wouldn't have this result.  If it matters, there's nothing in
/var/cache/mod_auth_cas.

PS: I'm sorry -- I posted this to the google group without first
subscribing to the list, so some may see this a second time.
-- 
Frank Burleigh
[email protected]

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to