auth:cas
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
auth:cas [2014-05-14 14:48] – [Discussion] 85.14.143.145 | auth:cas [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== CAS Authentication Backend ====== | ||
- | This module allows authentication against a CAS server. It is designed as an extension of the LDAP backend so CAS can be used for authentication and LDAP for ACL management. | ||
- | |||
- | It requires a small modification of two one DokuWiki files. | ||
- | |||
- | ===== Easy Way ===== | ||
- | |||
- | ==== Installation ==== | ||
- | |||
- | === Getting the scripts === | ||
- | |||
- | |||
- | First of all, download this zip : [[http:// | ||
- | |||
- | The //inc// folder correspond to your dokuwiki //inc// folder. | ||
- | |||
- | This archive contain cas.class.php and a modified phpCAS library. I just changed the way session are managed in the phpCAS lib. These changes [[https:// | ||
- | |||
- | Unpack this archive in your dokuwiki folder. | ||
- | |||
- | ==== Requirements ==== | ||
- | |||
- | The phpCas library needs | ||
- | * CURL 7.5+ | ||
- | * PHP 4.3.1+, PEAR DB | ||
- | * Apache 2.0.44+ | ||
- | CURL libs must be present on your system, and they must have been compiled with SSL support. | ||
- | [[http:// | ||
- | |||
- | |||
- | ==== File to modify ==== | ||
- | |||
- | == In inc/ | ||
- | |||
- | |||
- | Replace : | ||
- | <code PHP> | ||
- | function act_auth($act){ | ||
- | global $ID; | ||
- | global $INFO; | ||
- | </ | ||
- | |||
- | By: | ||
- | <code PHP> | ||
- | function act_auth($act){ | ||
- | global $ID; | ||
- | global $INFO; | ||
- | global $auth; | ||
- | |||
- | if($auth-> | ||
- | $auth-> | ||
- | } | ||
- | </ | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ==== Configuration ==== | ||
- | |||
- | Here is an example of **conf/ | ||
- | <code PHP> | ||
- | $conf[' | ||
- | |||
- | //.... | ||
- | |||
- | // | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | In this example, Single Sign Out is handle thanks to the modified version of phpCAS lib which allow phpCAS to destroy a session even if the service had start one before. | ||
- | |||
- | You have to list CAS hosts that will have the right to send logout requests, if your CAS hosts in not in that list his logout requests will be rejected. | ||
- | |||
- | To test if everything is ok you can set a log file, this will output phpCAS logs. | ||
- | |||
- | //This tutorial was entirely test on last DokuWiki version (Angua)// | ||
- | |||
- | --- [[user> | ||
- | ===== Alternatives ===== | ||
- | |||
- | ==== ggauth and plain ==== | ||
- | |||
- | I created a similar auth backend in June. Mine uses plain authentication as its source and also ggauth so that I can manage groups locally while only doing the authentication through CAS. The code is pretty similar to what is below. | ||
- | |||
- | Here is a link: http:// | ||
- | |||
- | **Note for Cornempire: | ||
- | |||
- | <code php> | ||
- | if ($ACT == ' | ||
- | phpCAS:: | ||
- | phpCAS:: | ||
- | phpCAS:: | ||
- | } | ||
- | </ | ||
- | |||
- | ==== Just plain ==== | ||
- | |||
- | In order to simplify my installation of DokuWiki, I have written a new [[plugin: | ||
- | |||
- | ===== Installation ===== | ||
- | |||
- | < | ||
- | It contains the [[http:// | ||
- | ==== Files to install ==== | ||
- | |||
- | I cannot upload the file, so here is the content of the cas.class.php file (inspired from [[http:// | ||
- | <code php cas.class.php> | ||
- | <?php | ||
- | /** | ||
- | * Inspired from | ||
- | * http:// | ||
- | */ | ||
- | |||
- | require_once(DOKU_INC.' | ||
- | include_once(' | ||
- | |||
- | global $conf; | ||
- | |||
- | class auth_cas extends auth_ldap { | ||
- | public $cnfcas = null; | ||
- | |||
- | function __construct() { | ||
- | global $conf; | ||
- | | ||
- | parent:: | ||
- | $this-> | ||
- | $this-> | ||
- | $this-> | ||
- | $this-> | ||
- | | ||
- | // curl extension is needed | ||
- | if(!function_exists(' | ||
- | if ($this-> | ||
- | msg(" | ||
- | $this-> | ||
- | return; | ||
- | } | ||
- | | ||
- | phpCAS:: | ||
- | $this-> | ||
- | | ||
- | // automatically log the user when there is a cas session opened | ||
- | if($this-> | ||
- | phpCAS:: | ||
- | } | ||
- | else { | ||
- | phpCAS:: | ||
- | } | ||
- | |||
- | if($this-> | ||
- | phpCAS:: | ||
- | } | ||
- | elseif($this-> | ||
- | phpCAS:: | ||
- | } | ||
- | else { | ||
- | phpCAS:: | ||
- | } | ||
- | | ||
- | if($this-> | ||
- | phpCAS:: | ||
- | } | ||
- | else { | ||
- | phpCAS:: | ||
- | } | ||
- | } | ||
- | |||
- | public function trustExternal($user, | ||
- | global $USERINFO; | ||
- | global $conf; | ||
- | |||
- | $sticky ? $sticky = true : $sticky = false; //sanity check | ||
- | |||
- | $session = $_SESSION[$conf[' | ||
- | |||
- | if(phpCAS:: | ||
- | $user = phpCAS:: | ||
- | | ||
- | if(isset($session)) { | ||
- | $_SERVER[' | ||
- | $USERINFO = $session[' | ||
- | $USERINFO[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | } | ||
- | else { | ||
- | $USERINFO = $this-> | ||
- | $_SERVER[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | } | ||
- | |||
- | return true; | ||
- | } | ||
- | |||
- | return false; | ||
- | } | ||
- | | ||
- | public function logIn() { | ||
- | global $QUERY; | ||
- | | ||
- | phpCAS:: | ||
- | phpCAS:: | ||
- | } | ||
- | | ||
- | public function logOff() { | ||
- | global $QUERY; | ||
- | | ||
- | if($this-> | ||
- | @session_start(); | ||
- | session_destroy(); | ||
- | phpCAS:: | ||
- | } | ||
- | else { // dokuwiki logout only | ||
- | @session_start(); | ||
- | session_destroy(); | ||
- | } | ||
- | } | ||
- | } | ||
- | //Setup VIM: ex: et ts=4 enc=utf-8 : | ||
- | </ | ||
- | |||
- | The phpCas library can be downloaded [[http:// | ||
- | ==== Requirements ==== | ||
- | |||
- | The phpCas library needs | ||
- | * CURL 7.5+ | ||
- | * PHP 4.3.1+, PEAR DB | ||
- | * Apache 2.0.44+ | ||
- | CURL libs must be present on your system, and they must have been compiled with SSL support. | ||
- | [[http:// | ||
- | |||
- | |||
- | ==== Files to modify ==== | ||
- | |||
- | Edit the file inc/ | ||
- | <code php> | ||
- | ' | ||
- | </ | ||
- | by | ||
- | <code php> | ||
- | ' | ||
- | ' | ||
- | </ | ||
- | |||
- | Edit the file inc/ | ||
- | <code php> | ||
- | function act_auth($act){ | ||
- | global $ID; | ||
- | global $INFO; | ||
- | </ | ||
- | by : | ||
- | <code php> | ||
- | function act_auth($act){ | ||
- | global $ID; | ||
- | global $INFO; | ||
- | global $auth; | ||
- | |||
- | if($auth-> | ||
- | $auth-> | ||
- | } | ||
- | </ | ||
- | |||
- | ===== Configuration ===== | ||
- | This is an example configuration to set in your conf/ | ||
- | <code php> | ||
- | $conf[' | ||
- | |||
- | /* CAS specific configuration */ | ||
- | $conf[' | ||
- | $conf[' | ||
- | // CAS server root parameter | ||
- | $conf[' | ||
- | // automatically log the user when there is already a CAS session opened | ||
- | $conf[' | ||
- | // log out from the CAS server when loggin out from dokuwiki | ||
- | $conf[' | ||
- | // log out from dokuwiki when loggin out from the CAS server (should work with CASv3, experimental) | ||
- | $conf[' | ||
- | |||
- | /* LDAP usual configuration */ | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | |||
- | </ | ||
- | |||
- | |||
- | ===== Discussion ===== | ||
- | |||
- | * Edit inc/ | ||
- | If you don't add this in basic auth, then | ||
- | <code php> | ||
- | if($auth-> | ||
- | $auth-> | ||
- | } | ||
- | </ | ||
- | can look for an undefined index. | ||
- | |||
- | * in cas.class.php : to have automatic redirection to cas server if not already logged : | ||
- | <code php> | ||
- | public function trustExternal($user, | ||
- | global $USERINFO; | ||
- | global $conf; | ||
- | | ||
- | $sticky ? $sticky = true : $sticky = false; //sanity check | ||
- | | ||
- | $session = $_SESSION[$conf[' | ||
- | | ||
- | if(phpCAS:: | ||
- | $user = phpCAS:: | ||
- | | ||
- | if(isset($session)) { | ||
- | $_SERVER[' | ||
- | $USERINFO = $session[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | } | ||
- | else { | ||
- | $USERINFO = $this-> | ||
- | $_SERVER[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | $_SESSION[$conf[' | ||
- | } | ||
- | | ||
- | return true; | ||
- | } | ||
- | else { | ||
- | | ||
- | } | ||
- | | ||
- | return false; | ||
- | } | ||
- | </ | ||
- | |||
- | I just added the part : | ||
- | <code php> | ||
- | else { | ||
- | phpCAS:: | ||
- | } | ||
- | </ | ||
- | |||
- | * Problem with upgrade of phpcas 1.1.3 : | ||
- | |||
- | Hello, I've upgraded phpcas : | ||
- | < | ||
- | # pear upgrade http:// | ||
- | </ | ||
- | |||
- | when I go to my wiki, I've got the following error page :-( : | ||
- | |||
- | < | ||
- | phpCAS error: phpCAS:: | ||
- | </ | ||
- | |||
- | If I downgrade phpcas, it's ok as before. //Frantz 2010/ | ||
- | |||
- | (//by Evaldas, 2011/ | ||
- | |||
- | To solve phpCAS session error (for phpCAS v1.1.3+) insert ", | ||
- | < | ||
- | $this-> | ||
- | </ | ||
- | |||
- | ==Problem remains== | ||
- | |||
- | There is a problem with the latest version of phpCAS (1.2.1) and DokuWiki (dokuwiki-latest.tgz) even after making the changes mentioned before. In fact, when we log in with CAS server, an error page occurs in web browser with the following message “This can occur when you open a page that is redirected to another page which is in turn redirects to the original page.” then a phpCAS error message like this “CAS Authentication failed!”. | ||
- | |||
- | How can we solve this error? | ||
- | |||
- | If you know how to solve this problem, please contribute. | ||
- | |||
- | ---05/05/11 | ||
auth/cas.1400071705.txt.gz · Last modified: 2014-05-14 14:48 by 85.14.143.145