Hi.I'm very sorry for the repost but I forgot the subject. So, I'm using dovecot 2.0.18 and I'm trying to authenticate through a CAS server (until now authentication was through MS Active Directory). I could not find anywhere some examples, so here is what i have done so far. -install phpcas and pam_cas -edit /etc/pam.d/dovecot auth sufficient /lib/security/pam_cas.so -simap://webmail.mydomain.com -f /etc/pam_cas.conf -edit /etc.pam_cas.conf host mycas.mydomain.com port 443 uriValidate /cas/proxyValidate ssl on proxy ??????????????????????? trusted_ca /etc/cert/certificate.pem debug on
- and finally dovecot.conf which I'm sure is complety wrong userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { driver = pam args = cache_key=%u dovecot }
What I get in log is
Oct 15 15:39:58 auth-worker: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Oct 15 15:39:58 auth-worker: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Oct 15 15:39:58 auth-worker: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Oct 15 15:39:58 auth-worker: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so Oct 15 15:39:58 auth-worker: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Oct 15 15:39:58 auth-worker: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Oct 15 15:39:58 auth-worker: Debug: pam(user,127.0.0.1): lookup service=dovecot Oct 15 15:39:58 auth-worker: Debug: pam(user,127.0.0.1): #1/1 style=1 msg=Password: Oct 15 15:39:58 auth-worker: Info: pam(user,127.0.0.1): pam_authenticate() failed: Permission denied Oct 15 15:40:00 auth: Debug: client out: FAIL 1 user=user Oct 15 15:40:00 imap-login: Info: Aborted login (auth failed, 1 attempts): user=<user>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 15 15:40:00 auth: Debug: auth client connected (pid=9019)
Any ideas? Thanks.
Hi,
Hi.I'm very sorry for the repost but I forgot the subject. So, I'm using dovecot 2.0.18 and I'm trying to authenticate through a CAS server (until now authentication was through MS Active Directory). I could not find anywhere some examples, so here is what i have done so far. -install phpcas and pam_cas -edit /etc/pam.d/dovecot auth sufficient /lib/security/pam_cas.so -simap://webmail.mydomain.com -f /etc/pam_cas.conf -edit /etc.pam_cas.conf host mycas.mydomain.com port 443 uriValidate /cas/proxyValidate ssl on proxy ??????????????????????? trusted_ca /etc/cert/certificate.pem debug on
- and finally dovecot.conf which I'm sure is complety wrong userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { driver = pam args = cache_key=%u dovecot }
Could you try with "failure_show_msg=yes" on passdb args ? You can try without the "proxy" line in pam_cas.conf and a static userdb with allow_all_users=yes (in place of ldap configuration).
Hope this can help.
You have some logs in /var/log/auth.log (depends of your distrib).
-- Guillaume de Lafond Aqua Ray
Thanks for the reply. I have already tried successfully the setup without proxing the cas tickets and setting dovecot to login with a master password. The problem is that I need a password file with all the users and also I need the proxy feature for other applications.
From: de Lafond Guillaume gdelafond+dovecot@aquaray.com To: b m stocton12@yahoo.com; Dovecot Mailing List dovecot@dovecot.org Sent: Tuesday, October 16, 2012 4:56 PM Subject: Re: [Dovecot] CAS Authentication
Hi,
Hi.I'm very sorry for the repost but I forgot the subject. So, I'm using dovecot 2.0.18 and I'm trying to authenticate through a CAS server (until now authentication was through MS Active Directory). I could not find anywhere some examples, so here is what i have done so far. -install phpcas and pam_cas -edit /etc/pam.d/dovecot auth sufficient /lib/security/pam_cas.so -simap://webmail.mydomain.com -f /etc/pam_cas.conf -edit /etc.pam_cas.conf host mycas.mydomain.com port 443 uriValidate /cas/proxyValidate ssl on proxy ??????????????????????? trusted_ca /etc/cert/certificate.pem debug on
- and finally dovecot.conf which I'm sure is complety wrong userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { driver = pam args = cache_key=%u dovecot }
Could you try with "failure_show_msg=yes" on passdb args ? You can try without the "proxy" line in pam_cas.conf and a static userdb with allow_all_users=yes (in place of ldap configuration).
Hope this can help.
You have some logs in /var/log/auth.log (depends of your distrib).
-- Guillaume de Lafond Aqua Ray
El 16/10/12 20:12, b m escribió:
Thanks for the reply. I have already tried successfully the setup without proxing the cas tickets and setting dovecot to login with a master password. The problem is that I need a password file with all the users and also I need the proxy feature for other applications.
This is my config. In /etc/pam.d/dovecot I have:auth sufficient pam_cas_ssh.so -simap://localhost -f/etc/pam_cas.conf account sufficient pam_permit.so session sufficient pam_permit.so
and /etc/pam_cas.confhost <cas server> port 443 uriValidate /cas/proxyValidate ssl on debug off proxy <cas proxy url> trusted_ca <pem cert file>
in dovecot, I have these users dbs:userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = session=yes cache_key=%n dovecot driver = pam }
With this, it works fine.-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337
Thanks for the configuration files. I have a question. In pam_cas.conf I don't know what to put in "proxy <cas proxy url>". In some examples I have seen something like http://<webmail address>/proxy.php Do I need a php file in my webmail to handle the cas tickets and if so where can I find it?
From: Angel L. Mateo amateo@um.es To: dovecot@dovecot.org Sent: Wednesday, October 17, 2012 10:24 AM Subject: Re: [Dovecot] CAS Authentication
El 16/10/12 20:12, b m escribió:
Thanks for the reply. I have already tried successfully the setup without proxing the cas tickets and setting dovecot to login with a master password. The problem is that I need a password file with all the users and also I need the proxy feature for other applications.
This is my config. In /etc/pam.d/dovecot I have:
auth sufficient pam_cas_ssh.so -simap://localhost -f/etc/pam_cas.conf account sufficient pam_permit.so session sufficient pam_permit.so
and /etc/pam_cas.conf host <cas server> port 443 uriValidate /cas/proxyValidate ssl on debug off proxy <cas proxy url> trusted_ca <pem cert file>
in dovecot, I have these users dbs:
userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = session=yes cache_key=%n dovecot driver = pam }
With this, it works fine.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337
El 18/10/12 10:33, b m escribió:
Thanks for the configuration files. I have a question. In pam_cas.conf I don't know what to put in "proxy <cas proxy url>". In some examples I have seen something like http://<webmail address>/proxy.php Do I need a php file in my webmail to handle the cas tickets and if so where can I find it?
You need this script at your webmail server. This script depend on the webmail you are using.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337
participants (3)
-
Angel L. Mateo
-
b m
-
de Lafond Guillaume