PAM Module
Yale PAM client distribution
The Yale CAS client distribution includes a PAM module suitable for CAS-authenticating, say, an IMAP server.
esup-portail PAM client distribution
Esup-portail also distributes an enhanced version of the PAM module.
Documentation is available here.
The following are what I believe to be some of the enhancements present in the esup-portail module beyond what is available in Yale PAM_CAS, as of the time of this writing. If this characterization can be made more accurate, please comment upon or edit this Wiki page. However, it is to be expected that esup-portail's documentation of their PAM module is always going to be more up-to-date and authoritative than this Wiki page.
- improved debugging
- certificate management: only the higher Certificate of Certificate Authority is necessary
- Parameters are written in a configuration file (rather than being compiled in):
auth sufficient /lib/security/pam_cas.so -simap://imap.univ.fr -f/etc/pam_cas.conf
# sample pam_cas config # host from CAS server. mandatory host auth.univ.fr # port from CAS server. Default to 80 or 443, depends from ssl instruction port 443 # uri to validate ticket. Default to /proxyValidate uriValidate /proxyValidate # https or no. values on or off. Default to on. ssl on # debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off debug off # proxy or proxies who deliver Proxy Ticket. # If no proxy, pam_cas doesn't control it # It may be several proxy instructions proxy https://etumel.univ-nancy2.fr/cas/casProxy.php proxy https://ent1.univ-nancy2.fr/CasProxyServlet proxy https://ent2.univ-nancy2.fr/CasProxyServlet proxy https://ent3.univ-nancy2.fr/CasProxyServlet proxy https://esupdev1.univ-nancy2.fr/julien/CasProxyServlet # trusted_ca. mandatory if ssl on. # It a file in pem format. It can contents several certificates # If the CAS server certificate is auto-signed, the file must content the certificate # If the certificate is trusted by an Certificate Autority, The file must content # certificate from high level CA trusted_ca /Cert/ac-racine.pem
Thanks to Vincent Mathieu for writing on the CAS discussion list on this point. His email seeded this Wiki page.