CAS authentication

nicolas-25 2006-05-17 09:45:50 UTC #1

Hello !

I’m working for a french university which is interested about using
egroupware. I want to add more options like CAS authentication, or
using LDAP in read-only mode (no LDAP modification is allowed).
I’m trying to add this options, and I want to ask if someone will be
interested about that.

thanks,
Nicolas

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Oscar_Manuel_Gomez_S 2006-05-18 08:06:21 UTC #2

nicolas escribió:

Hello !

I’m working for a french university which is interested about using
egroupware. I want to add more options like CAS authentication, or
using LDAP in read-only mode (no LDAP modification is allowed).
I’m trying to add this options, and I want to ask if someone will be
interested about that.

If I understand correctly, that is implemented since long ago in egw.
The difference is to use SQL as storage method instead of LDAP in
/setup, and LDAP as auth method.

Regards.

----------------------------------------------------------------------|
http://counter.li.org info: Linux user: 92390 - Linux machine: 39301 |
Oscar Manuel Gómez Senovilla - omgsATescomposlinux.org |
GPG Key at http://pgp.escomposlinux.org |
----------------------------------------------------------------------|

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

nicolas-25 2006-05-18 09:35:47 UTC #3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nicolas escribió:
Hello !

I’m working for a french university which is interested about using
egroupware. I want to add more options like CAS authentication, or
using LDAP in read-only mode (no LDAP modification is allowed).
I’m trying to add this options, and I want to ask if someone will
be
interested about that.

If I understand correctly, that is implemented since long ago in egw.
The difference is to use SQL as storage method instead of LDAP in
/setup, and LDAP as auth method.

Regards.

[/quote]
Sorry if i didn’'t explain very well.
In fact, I use CAS (SSO) as auth method. The goal of this is to
integrate egroupware with others applications using the same
authentication.
About the storage, egw looks at LDAP to get information about
accounts, but store them into SQL. There are a lot of applications
which use the same LDAP, so we don’t want to change entries. And we
don’t need necessary the LDAP password if we only read LDAP entries
(for security, I think it’s better to not store this password,
encrypted or not).

Regards,
Nicolas

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Oscar_Manuel_Gomez_S 2006-05-18 10:07:17 UTC #4

nicolas escribió:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nicolas escribió:
Hello !

I’m working for a french university which is interested about using
egroupware. I want to add more options like CAS authentication, or
using LDAP in read-only mode (no LDAP modification is allowed).
I’m trying to add this options, and I want to ask if someone will
be
interested about that.

If I understand correctly, that is implemented since long ago in egw.
The difference is to use SQL as storage method instead of LDAP in
/setup, and LDAP as auth method.

Regards.

[/quote]
Sorry if i didn’'t explain very well.
In fact, I use CAS (SSO) as auth method. The goal of this is to
integrate egroupware with others applications using the same
authentication.
About the storage, egw looks at LDAP to get information about
accounts, but store them into SQL. There are a lot of applications
which use the same LDAP, so we don’t want to change entries. And we
don’t need necessary the LDAP password if we only read LDAP entries
(for security, I think it’s better to not store this password,
encrypted or not).

Where are the passwords then stored? If they’re in LDAP, then what you
need is to use LDAP as storage instead of SQL. In my experience, if you
want to see the user data correctly, apart from making sure you have the
phpgwAccount objectclass for every user, define the givenName and
displayName attributes. Of course, you say you don’t have write access,
but I don’t find any security risk in having self enabled for changes,
what means that every user, if authenticated, can change update data.
Anyway, there should be no problem in storing passwords in SQL, since
they’re encrypted, and the admin (I guess you are the admin), if is
worried for that, can restrict the db (even the egw_accounts table) to
be readable only by the db user specified in egw setup.

Regards.

----------------------------------------------------------------------|
http://counter.li.org info: Linux user: 92390 - Linux machine: 39301 |
Oscar Manuel Gómez Senovilla - omgsATescomposlinux.org |
GPG Key at http://pgp.escomposlinux.org |
----------------------------------------------------------------------|

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

nicolas-25 2006-05-18 14:35:51 UTC #5

Where are the passwords then stored? If they’re in LDAP, then what
you
need is to use LDAP as storage instead of SQL. In my experience, if
you
want to see the user data correctly, apart from making sure you have
the
phpgwAccount objectclass for every user, define the givenName and
displayName attributes. Of course, you say you don’t have write
access,
but I don’t find any security risk in having self enabled for
changes,
what means that every user, if authenticated, can change update
data.
Anyway, there should be no problem in storing passwords in SQL,
since
they’re encrypted, and the admin (I guess you are the admin), if is
worried for that, can restrict the db (even the egw_accounts table)
to
be readable only by the db user specified in egw setup.

Regards.

There aren’t passwords anymore. Users are authenticated by CAS with a
login and a pwd, then a session starts automatically with the same
login (the pwd can not be known by egw).
I saw that a password is used when an imap connection is asked, but
it’s possible to send a CAS ticket (PT) instead of it (like the horde
casified method). And for the moment, egw don’t need to store pwd and
don’t need to store them in LDAP.

I understand that there are no security problem in storing the LDAP
admin’s pwd. But if we specify it, I don’t want egw is able to modify
LDAP entries (when others applications use the same LDAP, we don’t
want that informations can be added or changed all the time). We read
into LDAP (in order to create or change egw account automatically when
we want), but informations are storing in SQL for future uses.
I think this last part is specific for my university, but I think
maybe somebody is interested by this.

Regards

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Arnault 2006-09-28 09:04:12 UTC #6

I’m working in a french university too, and I’m very interesting by a CAS authentification for egroupware. Before to start a CAS module for egroupware, can I ask you if you have done some work about it ?

Thanks,

Arnault

Hello !

thanks,
Nicolas

[/quote]

jdef 2009-03-11 16:44:23 UTC #7

Hello,

I’m also trying to find out how to setup EGW using the same parameters.
Have you reach to set it up as you wanted to do?

Bonjour,

J’ai consulté vos messages datant d’il y a quelques temps sur le forum Nabble, au sujet de votre souhait de configurer egroupware de la façon suivante :

Authentification avec CAS (donc le mot de passe utilisateur n’est pas connu au niveau de l’application)
Annuaire LDAP en lecture seule
Et le stockage des informations en SQL.

J’utilise EGW 1.6 et cherche à mettre en place la même configuration.
J’aurais souhaité savoir si vous avez réussi? ou bien, faute d’information, abandonné?

Dans l’attente de vos nouvelles,

Cordialement,