You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by John Ma <Jo...@marist.edu> on 2011/01/04 21:38:13 UTC
CASify VCL 2.2
Hi community,
I am attempting to integrate VCL2.2 with CAS (http://www.jasig.org/cas)
and wondering whether someone could provide a brief introduction of VCL's
authentication mechanism.
I want to keep VCL user table for authorization but off load
authentication to CAS. I am familiar with CAS and know the basics of PHP
and Perl programming.
Thanks in advance,
John Ma
sys admin
Marist College
Re: CASify VCL 2.2
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John,
This should be doable. I'll need to read up on how CAS works some before I
can suggest a way to add it in. I'll try to do that soon.
Josh
On Tuesday January 04, 2011, John Ma wrote:
> Hi community,
>
> I am attempting to integrate VCL2.2 with CAS (http://www.jasig.org/cas)
> and wondering whether someone could provide a brief introduction of VCL's
> authentication mechanism.
>
> I want to keep VCL user table for authorization but off load
> authentication to CAS. I am familiar with CAS and know the basics of PHP
> and Perl programming.
>
>
> Thanks in advance,
>
> John Ma
> sys admin
> Marist College
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iEYEARECAAYFAk0l++8ACgkQV/LQcNdtPQON3QCaA8Ds94eeg0F3MCzRdtFI4t4e
YmoAn2NK34lW3vOsaTDqx9s6VROTLKDk
=GXxd
-----END PGP SIGNATURE-----
Re: CASify VCL 2.2
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John,
VCL can be set up to allow both CAS and the local accounts. I'll try to
explain that sometime next week.
Is there a URL users can be redirected to (such as a CAS server) from the VCL
site to auth to CAS and then get redirected back to the VCL site after
authenticating? If so, that would be the easier way. If not, a subdirectory
can be CAS protected and then VCL can set its own authentication cookie.
Josh
On Friday January 14, 2011, John Ma wrote:
> Josh,
>
> I got it working by following your guideline. Thanks a lot.
>
> However, this implementation blocked access to the 'local account'
> authentication method. I feel it desirable to keep the select auth page (
> /index.php?mode=selectauth ), to allow 'local account' authentication and
> to serve as VCL's home page.
>
> CAS has this module https://wiki.jasig.org/display/CASC/phpCAS which
> provides API for PHP client. I think phpCAS maybe what I needed but I
> don't have the confidence about the actual plumbing. Could you have a
> quick look of phpCAS and suggest a path to integrate it into VCL?
>
> Thanks,
> John Ma
> Marist College
>
>
>
>
>
>
>
> From: Josh Thompson <jo...@ncsu.edu>
> To: vcl-dev@incubator.apache.org
> Date: 01/12/2011 01:32 PM
> Subject: Re: CASify VCL 2.2
>
>
>
> - gpg control packet
> John,
>
> After doing some reading about CAS, it sounds like it is very similar to a
>
> home grown web authentication solution we use here at NCSU. The basic
> idea of
> our system is to protect the vcl directory with a .htaccess file. If the
> users are not authenticated to our system, they get redirected to an
> authentication server that provides them with an encrypted authentication
> cookie that an apache module on the web server hosting VCL can then
> decrypt to
> verify that the users are authenticated.
>
> I have our system set up so that it gets the userid using that system (it
> also
> sets $_SERVER['REMOTE_USER']). Then, I connect to our campus ldap server
> to
> look up more information about the user. However, that part could be
> optional
> for you if you only need the userid. A nice benefit of using ldap is that
> you
> can automatically populate the user into certain groups in VCL so that the
>
> first time a user logs in, that user will already have access to anything
> his
> or her groups have access to. Without that, you'll either need to have
> the
> user log in first or manually add an entry for the user to the vcl.user
> table
> before the user can be granted access to anything in VCL.
>
> Here are the first steps I'd suggest to get CAS working with VCL. Having
> not
> tried it myself, there's probably something I'm missing; so, it may take
> some
> back in forth emails to get it fully worked out.
>
> 1) save the attached file (casauth.php) to .ht-inc/authmethods/casauth.php
> 2) create a new entry in the vcl.affiliation table (I'll call it Marist,
> and
> assume the id associated with the new entry is 3)
> 3) create a new entry in $authMechs in .ht-inc/conf.php similar to this:
>
> "Marist CAS" => array("type" => "CAS",
> "affiliationid" => 3)
> 4) create entries in $affilValFunc, $addUserFunc, $addUserFuncArgs,
> $updateUserFunc, and $updateUserFuncArgs in .ht-inc/conf.php similar to
> the
> following:
>
> $affilValFunc = array(1 => create_function('', 'return 0;'),
> 3 => create_function('', 'return 0;'));
> $addUserFunc = array(1 => create_function('', 'return 0;'),
> 3 => 'addCASUser');
> $addUserFuncArgs = array(3 => 'Marist CAS');
> $updateUserFunc = array(1 => create_function('', 'return 0;'),
> 3 => 'updateCASUser');
> $updateUserFuncArgs = array(3 => 'Marist CAS');
> 5) add require_once(".ht-inc/authmethods/casauth.php"); to the end of .ht-
> inc/conf.php
> 6) protect the vcl directory on the web server with an appropriate
> .htaccess
> file such that users must be authenticated to CAS to be able to view the
> index.php page
> 7) modify vcl/.ht-inc/utils.php as follows:
> a) in initGlobals, comment out everything between '# start auth check'
> and '#
> end auth check'
> b) add these lines above or below what you just commented out:
> $authed = 1;
> $userid = "{$_SERVER['REMOTE_USER']}@Marist";
>
> Give that a try and let me know how things work out.
>
> Josh
>
> On Tuesday January 04, 2011, John Ma wrote:
> > Hi community,
> >
> > I am attempting to integrate VCL2.2 with CAS (http://www.jasig.org/cas)
> > and wondering whether someone could provide a brief introduction of
>
> VCL's
>
> > authentication mechanism.
> >
> > I want to keep VCL user table for authorization but off load
> > authentication to CAS. I am familiar with CAS and know the basics of PHP
> > and Perl programming.
> >
> >
> > Thanks in advance,
> >
> > John Ma
> > sys admin
> > Marist College
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iEYEARECAAYFAk0wvjIACgkQV/LQcNdtPQN+0gCfYFXbgCk5W7hLFHSGNCNkEul4
bhcAn2InKKPMqso/edVsR6M21KZyZAYH
=dZ6n
-----END PGP SIGNATURE-----
Re: CASify VCL 2.2
Posted by John Ma <Jo...@marist.edu>.
Josh,
I got it working by following your guideline. Thanks a lot.
However, this implementation blocked access to the 'local account'
authentication method. I feel it desirable to keep the select auth page (
/index.php?mode=selectauth ), to allow 'local account' authentication and
to serve as VCL's home page.
CAS has this module https://wiki.jasig.org/display/CASC/phpCAS which
provides API for PHP client. I think phpCAS maybe what I needed but I
don't have the confidence about the actual plumbing. Could you have a
quick look of phpCAS and suggest a path to integrate it into VCL?
Thanks,
John Ma
Marist College
From: Josh Thompson <jo...@ncsu.edu>
To: vcl-dev@incubator.apache.org
Date: 01/12/2011 01:32 PM
Subject: Re: CASify VCL 2.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John,
After doing some reading about CAS, it sounds like it is very similar to a
home grown web authentication solution we use here at NCSU. The basic
idea of
our system is to protect the vcl directory with a .htaccess file. If the
users are not authenticated to our system, they get redirected to an
authentication server that provides them with an encrypted authentication
cookie that an apache module on the web server hosting VCL can then
decrypt to
verify that the users are authenticated.
I have our system set up so that it gets the userid using that system (it
also
sets $_SERVER['REMOTE_USER']). Then, I connect to our campus ldap server
to
look up more information about the user. However, that part could be
optional
for you if you only need the userid. A nice benefit of using ldap is that
you
can automatically populate the user into certain groups in VCL so that the
first time a user logs in, that user will already have access to anything
his
or her groups have access to. Without that, you'll either need to have
the
user log in first or manually add an entry for the user to the vcl.user
table
before the user can be granted access to anything in VCL.
Here are the first steps I'd suggest to get CAS working with VCL. Having
not
tried it myself, there's probably something I'm missing; so, it may take
some
back in forth emails to get it fully worked out.
1) save the attached file (casauth.php) to .ht-inc/authmethods/casauth.php
2) create a new entry in the vcl.affiliation table (I'll call it Marist,
and
assume the id associated with the new entry is 3)
3) create a new entry in $authMechs in .ht-inc/conf.php similar to this:
"Marist CAS" => array("type" => "CAS",
"affiliationid" => 3)
4) create entries in $affilValFunc, $addUserFunc, $addUserFuncArgs,
$updateUserFunc, and $updateUserFuncArgs in .ht-inc/conf.php similar to
the
following:
$affilValFunc = array(1 => create_function('', 'return 0;'),
3 => create_function('', 'return 0;'));
$addUserFunc = array(1 => create_function('', 'return 0;'),
3 => 'addCASUser');
$addUserFuncArgs = array(3 => 'Marist CAS');
$updateUserFunc = array(1 => create_function('', 'return 0;'),
3 => 'updateCASUser');
$updateUserFuncArgs = array(3 => 'Marist CAS');
5) add require_once(".ht-inc/authmethods/casauth.php"); to the end of .ht-
inc/conf.php
6) protect the vcl directory on the web server with an appropriate
.htaccess
file such that users must be authenticated to CAS to be able to view the
index.php page
7) modify vcl/.ht-inc/utils.php as follows:
a) in initGlobals, comment out everything between '# start auth check'
and '#
end auth check'
b) add these lines above or below what you just commented out:
$authed = 1;
$userid = "{$_SERVER['REMOTE_USER']}@Marist";
Give that a try and let me know how things work out.
Josh
On Tuesday January 04, 2011, John Ma wrote:
> Hi community,
>
> I am attempting to integrate VCL2.2 with CAS (http://www.jasig.org/cas)
> and wondering whether someone could provide a brief introduction of
VCL's
> authentication mechanism.
>
> I want to keep VCL user table for authorization but off load
> authentication to CAS. I am familiar with CAS and know the basics of PHP
> and Perl programming.
>
>
> Thanks in advance,
>
> John Ma
> sys admin
> Marist College
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iEYEARECAAYFAk0t84AACgkQV/LQcNdtPQNuNQCfWhgxBc7YmTDJJH5oKRQ0vSwX
yGoAn3SYs4julGgnHvq4rZJ0lqomWlcu
=1ATu
-----END PGP SIGNATURE-----
[attachment "casauth.php" deleted by John Ma/ADM/Marist]
Re: CASify VCL 2.2
Posted by Josh Thompson <jo...@ncsu.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John,
After doing some reading about CAS, it sounds like it is very similar to a
home grown web authentication solution we use here at NCSU. The basic idea of
our system is to protect the vcl directory with a .htaccess file. If the
users are not authenticated to our system, they get redirected to an
authentication server that provides them with an encrypted authentication
cookie that an apache module on the web server hosting VCL can then decrypt to
verify that the users are authenticated.
I have our system set up so that it gets the userid using that system (it also
sets $_SERVER['REMOTE_USER']). Then, I connect to our campus ldap server to
look up more information about the user. However, that part could be optional
for you if you only need the userid. A nice benefit of using ldap is that you
can automatically populate the user into certain groups in VCL so that the
first time a user logs in, that user will already have access to anything his
or her groups have access to. Without that, you'll either need to have the
user log in first or manually add an entry for the user to the vcl.user table
before the user can be granted access to anything in VCL.
Here are the first steps I'd suggest to get CAS working with VCL. Having not
tried it myself, there's probably something I'm missing; so, it may take some
back in forth emails to get it fully worked out.
1) save the attached file (casauth.php) to .ht-inc/authmethods/casauth.php
2) create a new entry in the vcl.affiliation table (I'll call it Marist, and
assume the id associated with the new entry is 3)
3) create a new entry in $authMechs in .ht-inc/conf.php similar to this:
"Marist CAS" => array("type" => "CAS",
"affiliationid" => 3)
4) create entries in $affilValFunc, $addUserFunc, $addUserFuncArgs,
$updateUserFunc, and $updateUserFuncArgs in .ht-inc/conf.php similar to the
following:
$affilValFunc = array(1 => create_function('', 'return 0;'),
3 => create_function('', 'return 0;'));
$addUserFunc = array(1 => create_function('', 'return 0;'),
3 => 'addCASUser');
$addUserFuncArgs = array(3 => 'Marist CAS');
$updateUserFunc = array(1 => create_function('', 'return 0;'),
3 => 'updateCASUser');
$updateUserFuncArgs = array(3 => 'Marist CAS');
5) add require_once(".ht-inc/authmethods/casauth.php"); to the end of .ht-
inc/conf.php
6) protect the vcl directory on the web server with an appropriate .htaccess
file such that users must be authenticated to CAS to be able to view the
index.php page
7) modify vcl/.ht-inc/utils.php as follows:
a) in initGlobals, comment out everything between '# start auth check' and '#
end auth check'
b) add these lines above or below what you just commented out:
$authed = 1;
$userid = "{$_SERVER['REMOTE_USER']}@Marist";
Give that a try and let me know how things work out.
Josh
On Tuesday January 04, 2011, John Ma wrote:
> Hi community,
>
> I am attempting to integrate VCL2.2 with CAS (http://www.jasig.org/cas)
> and wondering whether someone could provide a brief introduction of VCL's
> authentication mechanism.
>
> I want to keep VCL user table for authorization but off load
> authentication to CAS. I am familiar with CAS and know the basics of PHP
> and Perl programming.
>
>
> Thanks in advance,
>
> John Ma
> sys admin
> Marist College
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iEYEARECAAYFAk0t84AACgkQV/LQcNdtPQNuNQCfWhgxBc7YmTDJJH5oKRQ0vSwX
yGoAn3SYs4julGgnHvq4rZJ0lqomWlcu
=1ATu
-----END PGP SIGNATURE-----