CASifying TWiki
CASifying TWikiÂ
 Using TWiki's CasLogin contrib
You may try a TWiki contrib intended for CAS login :Â http://twiki.org/cgi-bin/view/Plugins/CasLoginContrib
You may alternatively try to do it manually following the tutorial bellow :
 Through ApacheLogin
This is a brief rundown of the steps that we used to CASify our install of TWiki
I didn't actually set up our TWiki installation, I just worked on adapting it from using LDAP auth to CAS. I'll try and give the relevant info here.
TWiki ConfigÂ
For the TWiki config, I will list the config settings that I believe are necessary for it to work:
We are using CGI::Session Under Security setup under Sessions: {UseClientSessions} is selected {Sessions}{UseIPMatching} is selected Under Security setup under Authentication: {LoginManager} is TWIki::Client::ApacheLogin {MapUserToWikiName} is selected Under Security setup under Passwords: {PasswordManager} is none Under Security setup under Registration: {Register}{AllowLoginName} is selected {Register}{HidePasswd} is selected {Register}{NeedVerification} is not selected
I believe that is all that is relevant for the TWiki settings. I will address specific TWiki httpd.conf settings later.
mod_cas Module compilation and Configuration
As far as CAS, I pulled the latest svn copy of the mod_cas client from http://opensource.case.edu/svn/CAS/mod_cas/trunk/ . I then built it (without modification) using apxs. Essentially `/usr/sbin/apxs -i -c mod_cas.c ssl_client.c`. This compiled the module and installed it in apache's modules directory.
I then needed to make Apache aware of the module and it's config settings. In /etc/httpd/conf.d we store apache config files that are loaded at startup. I added a cas.conf file in there containing the following info:
LoadModule cas_module modules/mod_cas.so<IfModule mod_cas.c> CASDebug On CASLocalCacheFile /tmp/cas.local.cache CASLocalCacheSize 1000 CASLocalCacheTimeout 7200 CASLocalCacheInsecure OFF CASTrustedCerts /etc/httpd/conf/entrust_ca.pem CASLoginURL https://cashost.university.edu/url_to_cas_login CASHost cashost.university.edu CASPort 443 CASMethod GET CASValidate /url_to_cas_validate </IfModule>
Obviously, CASLoginURL, CASHost, and CASValidate would need to be adjusted for your setup. Note the CASValidate does not contain the host portion of the URL. In addition, you need to get the CA cert for whoever signed the SSL cert for your CAS server. We use Entrust so I just downloaded their CA cert and put it at the location listed as CASTrustedCerts. You can turn CASDebug Off when you verify things are working correctly.
TWiki specific mod_cas settingsÂ
Now, for TWiki specific httpd.conf settings. We include our twiki_httpd_conf file at the end of our regular apache httpd.conf. This seems to be pretty standard practice
according to the TWiki documentation. So, in that config file, I only needed to add the following information:
<Location "/twiki/bin/logon"> AuthType CAS AuthName "CAS" require valid-user </Location> <Location "/twiki/bin/register"> AuthType CAS AuthName "CAS" require valid-user </Location> <Location "/twiki/bin/view/TWiki/TWikiRegistration"> AuthType CAS AuthName "CAS" require valid-user </Location> <Location "/twiki/bin/viewauth"> AuthType CAS AuthName "CAS" require valid-user </Location>
This will protect the logon, register, and TWikiRegistration portions with CAS. As I mentioned in my email to the CAS list, we have turned off the registration, so the register and TWikiRegistration portions aren't really needed.
If you wish to make your wiki a "Private" wiki that only allows access to authenticated users, you could use the following entry instead of the others:
<Location "/twiki"> AuthType CAS AuthName "CAS" require valid-user </Location>
If you go this route, you can't really log out of the wiki, since the logout function takes you back to the main page, and since the entire root is covered by CAS it will let you back in with your session.
That just about does it. I would suggest trying to set up TWiki standalone first to get a feel for it, and then go about doing these modifications. Our approach was to get TWiki installed as a testing base to see if we even wanted to use it. Then, after we decided that we liked it, we moved it to auth off of our central LDAP. Only recently, have we decided that we would like to tie it in with our new CAS deployment.