CASifying TWiki

Using TWiki's CasLogin contrib

You may try a TWiki contrib intended for CAS login : http://twiki.org/cgi-bin/view/Plugins/CasLoginContrib

You may alternatively try to do it manually following the tutorial bellow :

Through ApacheLogin

This is a brief rundown of the steps that we used to CASify our install of TWiki

I didn't actually set up our TWiki installation, I just worked on adapting it from using LDAP auth to CAS. I'll try and give the relevant info here.

TWiki Config

For the TWiki config, I will list the config settings that I believe are necessary for it to work:

We are using CGI::Session
    Under Security setup under Sessions:
        {UseClientSessions} is selected
        {Sessions}{UseIPMatching} is selected
    Under Security setup under Authentication:
        {LoginManager} is TWIki::Client::ApacheLogin
        {MapUserToWikiName} is selected
    Under Security setup under Passwords:
        {PasswordManager} is none
    Under Security setup under Registration:
        {Register}{AllowLoginName} is selected
        {Register}{HidePasswd} is selected
        {Register}{NeedVerification} is not selected

I believe that is all that is relevant for the TWiki settings. I will address specific TWiki httpd.conf settings later.

mod_cas Module compilation and Configuration

As far as CAS, I pulled the latest svn copy of the mod_cas client from http://opensource.case.edu/svn/CAS/mod_cas/trunk/ . I then built it (without modification) using apxs. Essentially `/usr/sbin/apxs -i -c mod_cas.c ssl_client.c`. This compiled the module and installed it in apache's modules directory.

I then needed to make Apache aware of the module and it's config settings. In /etc/httpd/conf.d we store apache config files that are loaded at startup. I added a cas.conf file in there containing the following info:

LoadModule cas_module    modules/mod_cas.so<IfModule mod_cas.c>
  CASDebug On
  CASLocalCacheFile /tmp/cas.local.cache
  CASLocalCacheSize 1000
  CASLocalCacheTimeout 7200
  CASLocalCacheInsecure OFF

  CASTrustedCerts /etc/httpd/conf/entrust_ca.pem
  CASLoginURL https://cashost.university.edu/url_to_cas_login
  CASHost cashost.university.edu
  CASPort 443
  CASMethod GET
  CASValidate /url_to_cas_validate
</IfModule>

Obviously, CASLoginURL, CASHost, and CASValidate would need to be adjusted for your setup. Note the CASValidate does not contain the host portion of the URL. In addition, you need to get the CA cert for whoever signed the SSL cert for your CAS server. We use Entrust so I just downloaded their CA cert and put it at the location listed as CASTrustedCerts. You can turn CASDebug Off when you verify things are working correctly.

TWiki specific mod_cas settings

Now, for TWiki specific httpd.conf settings. We include our twiki_httpd_conf file at the end of our regular apache httpd.conf. This seems to be pretty standard practice
according to the TWiki documentation. So, in that config file, I only needed to add the following information:

<Location "/twiki/bin/logon">
       AuthType CAS
       AuthName "CAS"
       require valid-user
</Location>

<Location "/twiki/bin/register">
       AuthType CAS
       AuthName "CAS"
       require valid-user
</Location>

<Location "/twiki/bin/view/TWiki/TWikiRegistration">
       AuthType CAS
       AuthName "CAS"
       require valid-user
</Location>

<Location "/twiki/bin/viewauth">
       AuthType CAS
       AuthName "CAS"
       require valid-user
</Location>

This will protect the logon, register, and TWikiRegistration portions with CAS. As I mentioned in my email to the CAS list, we have turned off the registration, so the register and TWikiRegistration portions aren't really needed.

If you wish to make your wiki a "Private" wiki that only allows access to authenticated users, you could use the following entry instead of the others:

<Location "/twiki">
        AuthType CAS
        AuthName "CAS"
        require valid-user
</Location>

If you go this route, you can't really log out of the wiki, since the logout function takes you back to the main page, and since the entire root is covered by CAS it will let you back in with your session.

That just about does it. I would suggest trying to set up TWiki standalone first to get a feel for it, and then go about doing these modifications. Our approach was to get TWiki installed as a testing base to see if we even wanted to use it. Then, after we decided that we liked it, we moved it to auth off of our central LDAP. Only recently, have we decided that we would like to tie it in with our new CAS deployment.