web2py[:]


If you benefit from web2py hope you feel encouraged to pay it forward by contributing back to society in whatever form you choose!

Apache mod_auth_cas and Web2py
Recipe by Jose de Soto (josedesoto) on 2013-01-17 in Other

Article about how to use web2py as a CAS provider and apache with mod_auth_cas as a consumer.

If you read web2py documentation: http://web2py.com/books/default/chapter/29/09?#Central-Authentication-Service when Web2py is installed provides already a CAS server, so no extra configuration need to be done.  In this example, the CAS provider (web2py) will authenticate using LDAP server, and Apache web server will use Web2py to login.

We prepare Web2py provider to authenticate using LDAP. In this case:

 

We will authenticate using username (no email):

auth.define_tables(username=True, signature=False)

 

No new user group will be created when user is authenticated: 

 auth.settings.create_user_groups=False

 

We will disable all this options:

auth.settings.actions_disabled=['register','change_password','request_reset_password','retrieve_username', 'profile']

 

We add the ldap configuration, we use the ApacheGroup in LDAP to look for the user:

from gluon.contrib.login_methods.ldap_auth import ldap_auth
auth.settings.login_methods=[(ldap_auth(mode='uid_r',
        secure=True,
        server='MY_LDAP_URL', port='636',
        base_dn='ou=people,dc=mydomain,dc=com',
        allowed_groups = ["ApacheGroup"],
        group_dn = 'cn=groups,dc=mydomain,dc=com',
        group_name_attrib = 'cn',
        group_member_attrib = 'memberUid',
        group_filterstr = 'objectClass=*'
        ))]

 

The next step, is to configure Apache to be a consumer. In this case I use ubuntu 11.10, so to install the module:

#apt-get install libapache2-mod-auth-cas

 

To load the module into Apache:

#a2enmod auth_cas

 

Now what we need to do is to configure our VirtualHost in Apache, with CAS authentication, for example:

<VirtualHost *:80>
    ServerName MY_URL_TO_MY_WEB_PAGE
    DocumentRoot /var/www/MY_WEB_PAGE

    CASValidateServer off
    #CASAllowWildcardCert on
    CASCertificatePath  /etc/ssl/certs
    CASLoginURL         https://MY_CAS_PROVIDER.com/cas/default/user/cas/login
    CASValidateURL      https://MY_CAS_PROVIDER.com/cas/default/user/cas/serviceValidate

    <Directory />

         AuthType CAS
         require valid-user

    </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

 

If we are using CAS version 1, we have to use:

CASValidateURL      https://MY_CAS_PROVIDER.com/cas/default/user/cas/validate

In our case, by default Apache and web2py use version 2.

 

Now, if we type in our browser MY_URL_TO_MY_WEB_PAGE, automatically, Apache will redirect you to the CAS provider asking  for a login. Once, you are authenticated and your user and pass is validated. Cas provider will redirect you to MY_URL_TO_MY_WEB_PAGE (service).

 

In the case we have on the top, we are using CASValidateServer off. This mean that mod_auth_cas will not validate that the certificate presented (in case we use SSL in our CASLogin and CASValidate) by the server specified in CASLoginURL is both signed by the Certificate Authority specified in CASCertificatePath and that the hostname matches the Common Name of the certificate.

 

If CASValidateServer on, maybe we get this error:

 

MOD_AUTH_CAS: Certificate CN does not match MY_URL_TO_MY_WEB_PAGE

 

To resolve the issue we have to be sure our certificate is in CASCertificatePath (/etc/ssl/certs) , so we copy our certificate in /etc/ssl/certs. The CA certificates inside this directory are looked up by the CA subject name hash value. For this reason we will use the c_rehash utility to create the necessary links:

 

#cd /etc/ssl/certs
#c_rehash

 

If you are using wildcard certificates, enable the option: CASAllowWildcardCert

 

auth cas apache

Related slices

Comments (0)

Hosting graciously provided by:
Python Anywhere