Difference between revisions of "CAS"

From EPrints Documentation
Jump to: navigation, search
m
Line 5: Line 5:
 
The first thing you'll have to do is to [[HTTPS|install a secure host]].
 
The first thing you'll have to do is to [[HTTPS|install a secure host]].
  
==Apache::AuthCAS==
+
==Apache2::AuthCAS==
 
This perl library allows you to easily communicate with a CAS sever.
 
This perl library allows you to easily communicate with a CAS sever.
  
Line 11: Line 11:
  
 
This can be done with the command:
 
This can be done with the command:
perl -MCPAN -e 'install Apache::AuthCAS'
+
perl -MCPAN -e 'install Apache2::AuthCAS'
  
More infomartion are available on [http://search.cpan.org/~dcastro/Apache-AuthCAS-0.4/lib/Apache/AuthCAS.pm CPAN]
+
More infomartion are available on http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.1/lib/Apache2/AuthCAS.pm
  
===Make few changes to AuthCAS.pm (if using mysql)===
+
===Create the database to store cookies===
  
The Apache::AuthCAS module use a database to store cookies. You can use Postgres or MySQL, as you wish.
+
You should find this mysql schema on
 +
http://search.cpan.org/src/JHITT/Apache2-AuthCAS-0.1/schemaPg.sql
  
Most probably, you will use mysql, as eprints use it. Unfortunately AuthCAS.pm is coded with the "Pg" driver in hard, even if a variable ($DB_DRIVER) exists, it is not used. So you will have to edit your AuthCAS.pm file and change each "Pg" with "mysql".
 
 
A simple way to change this is to modify all accurences of dbi:Pg in vi:
 
 
<pre>
 
<pre>
%s/dbi:Pg/dbi:$DB_DRIVER/g
+
-- Schema for use with PostgreSQL
</pre>
 
 
 
===Create the database to store cookies===
 
 
 
You should find this mysql schema in /root/.cpan/build/Apache-AuthCAS-0.4/schema.sql
 
<pre>
 
-- schema that has been used with PostgreSQL and may need to be altered for
 
-- another DBMS
 
  
 
CREATE TABLE cas_sessions (
 
CREATE TABLE cas_sessions (
        id                             varchar(32) not null primary key,
+
id varchar(32) not null primary key,
        last_accessed   int8 not null,
+
last_accessed int8 not null,
        uid                            varchar(32) not null,
+
user_id varchar(32) not null,
        pgtiou                 varchar(64) not null
+
pgtiou varchar(64)
);
+
pgt varchar(64)
 
 
CREATE TABLE cas_pgtiou_to_pgt (
 
        pgtiou          varchar(64) not null primary key,
 
        pgt                     varchar(64) not null,
 
        created        int8 not null
 
 
);
 
);
  
--example PostgreSQL indeces
+
CREATE INDEX cas_sessions_id_index ON cas_sessions(id);
--CREATE INDEX cas_sessions_id_index ON cas_sessions(id);
+
CREATE INDEX cas_sessions_pgtiou_index ON cas_sessions(pgtiou);
--CREATE INDEX cas_pgtiou_to_pgt_pgtiou_index ON cas_pgtiou_to_pgt(pgtiou);
 
--CREATE INDEX cas_sessions_last_accessed_index ON cas_sessions(last_accessed);
 
 
</pre>
 
</pre>
  
 
===Configure your secure host===
 
===Configure your secure host===
 
You must provide some information like the CAS host. You can provide it in your virtual host, or in AuthCAS.pm.
 
You must provide some information like the CAS host. You can provide it in your virtual host, or in AuthCAS.pm.
Read the [http://search.cpan.org/~dcastro/Apache-AuthCAS-0.4/lib/Apache/AuthCAS.pm module page on CPAN] to know more about it.
+
Read the [http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.1/lib/Apache2/AuthCAS.pm module page on CPAN] to know more about it.
  
 
Also edit $EPRINTS_ROOT/archives/$ARCHIVE_ID/cfg/auto-secure.conf and make the following changes:
 
Also edit $EPRINTS_ROOT/archives/$ARCHIVE_ID/cfg/auto-secure.conf and make the following changes:
Line 67: Line 50:
 
and add:
 
and add:
  
 
+
     AuthType Apache2::AuthCAS
     AuthType Apache::AuthCAS
 
 
     AuthName "CAS"
 
     AuthName "CAS"
     PerlAuthenHandler Apache::AuthCAS->authenticate
+
     PerlAuthenHandler Apache2::AuthCAS->authenticate
    PerlSetVar CASProduction "1"
 
  
 
===Load the module===
 
===Load the module===
Finally, don't forget to load Apache::AuthCAS!
+
Finally, don't forget to load Apache2::AuthCAS!
  
 
==Eprints::Session edit==
 
==Eprints::Session edit==

Revision as of 09:44, 22 August 2007

This page explains how to use a CAS server to authenticate user in eprints.

Install a secure host

The first thing you'll have to do is to install a secure host.

Apache2::AuthCAS

This perl library allows you to easily communicate with a CAS sever.

Install the lib

This can be done with the command: perl -MCPAN -e 'install Apache2::AuthCAS'

More infomartion are available on http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.1/lib/Apache2/AuthCAS.pm

Create the database to store cookies

You should find this mysql schema on http://search.cpan.org/src/JHITT/Apache2-AuthCAS-0.1/schemaPg.sql

-- Schema for use with PostgreSQL

CREATE TABLE cas_sessions (
	id				varchar(32) not null primary key,
	last_accessed	int8 not null,
	user_id			varchar(32) not null,
	pgtiou			varchar(64)
	pgt 			varchar(64)
);

CREATE INDEX cas_sessions_id_index ON cas_sessions(id);
CREATE INDEX cas_sessions_pgtiou_index ON cas_sessions(pgtiou);

Configure your secure host

You must provide some information like the CAS host. You can provide it in your virtual host, or in AuthCAS.pm. Read the module page on CPAN to know more about it.

Also edit $EPRINTS_ROOT/archives/$ARCHIVE_ID/cfg/auto-secure.conf and make the following changes:

Remove lines:

   AuthType "Basic"
   PerlAuthenHandler EPrints::Auth::authen


and add:

   AuthType Apache2::AuthCAS
   AuthName "CAS"
   PerlAuthenHandler Apache2::AuthCAS->authenticate

Load the module

Finally, don't forget to load Apache2::AuthCAS!

Eprints::Session edit

Now edit the $EPRINTS_PATH/perl_lib/EPrints/Session.pm. First add this line:

use CGI qw(:standard -nph);

Which enables you to use the raw_cookie fuction which returns variables stored in http cookie. Then go to the current_user function definition where you have to put the uid provided by AuthCAS module in $username. To do it, you just have to make a sql query which looks like that:

$sql="SELECT uid FROM cas_sessions WHERE id='$user_ticket'";

Where $user_ticket is the variable stored in the AuthCAS http cookie.

my $user_ticket=raw_cookie('APACHECAS');

Note that 'APACHECAS' is the default name for the AuthCAS cookie but you may have change it.

Here is a code that should work if you have installed your Apache::AuthCAS sql tables in the same database where you store your eprints tables:

sub current_user
{
        my( $self ) = @_;

        my $user = undef;

        # If we've already done this once, no point
        # in doing it again.
        unless( defined $self->{currentuser} )
        {
                my $username ="";
                my $user_ticket="";
                if( defined $ENV{HTTP_CAS_FILTER_USER})#just connected with cas, no cookie set 
                {
                        $username = $ENV{HTTP_CAS_FILTER_USER};
                }
                elsif ( defined $self->{archive}->get_conf("cassessioncookiename") )#cas auth seems configured...
                {
                        $user_ticket=raw_cookie($self->{archive}->get_conf("cassessioncookiename"));
                        if( $user_ticket ne "" )#Indeed we've get a cookie :)
                        {
                                my $sql = "SELECT uid FROM cas_sessions where id='$user_ticket'";
                                my $sth = $self->{database}->prepare( $sql );
                                $self->{database}->execute( $sth, $sql );

                                while( my @info = $sth->fetchrow_array ) {
                                        my @list = split(":",$info[0]);
                                        foreach( @list ) {$username=$_;}
                                }
                                $sth->finish;
                        }
                }
                else#using default eprints authentication
                {
                        $username = $ENV{'REMOTE_USER'};
                }       

                if( $username ne "" )
                {
                        $self->{currentuser} = 
                        EPrints::User::user_with_username( $self, $username );
                }
                
        }

        return $self->{currentuser};
}

This code assumes CASAuth SQL tables are stored with the rest of the Eprints server. It won't work if you use a Postgres database or even if you stored your CASauth tables on an other MySQL database. If you have any good reason to use a seperated database, you will have to change some lines in order to make it work.

I'm a busy man, give me a patch!

Okay, here is a patch which includes changes to files:

  • Config.pm
  • configure_archive
  • generate_apacheconf
  • Session.pm

It was made with Eprints version 2.3.13. CAS Authentication patch for Gnu eprints

Once your eprints gets patched, you have to:

  • install Apache::AuthCAS module and create associated tables in your eprints database (see above)
  • run configure_archive (answer yes to «configure secure host» and «use CAS authentication»)
  • run generate_apacheconf
  • restart your webserver

You should now be able to login through your CAS server.

Once CAS is working, you may need to copy the user entry from an LDAP server. This can be done as describe ine the Integrating_EPrints_with_LDAP article of this wiki or like this :

our LDAP Configuration

in the file perl_lib/EPrints/User.pm, go to the user_with_username function and replace it with the following function:

sub user_with_username
{
        my( $session, $username ) = @_;
        my $user_ds = $session->get_archive()->get_dataset( "user" );
        my $searchexp = new EPrints::SearchExpression(
                session=>$session,
                dataset=>$user_ds );
        $searchexp->add_field(
                $user_ds->get_field( "username" ),
                $username,
                "EX" );
        my $searchid = $searchexp->perform_search;
        my $user;
        #if no record was found and that there is an ldap host set, try to add a new record
        if ( $records[0] eq "" and $session->{archive}->get_conf("ldaphost") ne ""){
                #bring back data from ldap server
                my $ldap = Net::LDAP->new ( $session->{archive}->get_conf("ldaphost") ) or die "$@";
                my $userToAuthenticate=$session->{archive}->get_conf("ldapuser");
                my $passwd= $session->{archive}->get_conf("ldappass");
                my $base=$session->{archive}->get_conf("ldapbase");
                my $additionalCriteria=$session->{archive}->get_conf("ldapsearchstring");
                my $searchString="uid=$username";
                if ($additionalCriteria ne ""){
                        $searchString="