#158 Real - CAS Authentication/Session Managment

[Patrick McMorran]

Hey There, I built a phpCAS authentication and session scheme for MRBS. It is set up how you guys do it, so all you need to do is copy it into the web directory and of course make sure that phpCAS is installed on your webserver. Because of how CAS works, I created both an auth and session file which will allow you to effectively use CAS. Sorry about the duplicate postings, this is the real one, my VM was acting up during the first post.

[Patrick McMorran]

Zip containting auth_cas.inc, session_cas.inc, and cas_set.php

[Chad Healey]

I am trying to use this authentication scheme with my universities CAS. I include this cas_set.php into config.inc.php and fill in all the correct parameters for our CAS. Once all this is done when I visit my MRBS page all I get is a blank screen with no errors or indication what is wrong.

Any ideas?

[Anonymous]

Sorry for the late reply, but this is usually caused by not having php_cas installed on your local webserver, which is a requirement to get CAS authentication to work. Please see the post below by Farzan if you require help setting it up.

[Anonymous]

I THANK YOU REAL AUTHOR "PATRICK" FOR CREATING THIS PLUGIN. I HAVE DOCUMENTED THE STEPS FOR MY REFERENCE BUT IT MIGHT BE HELPFUL FOR OTHERS THUS I AM POSTING IT HERE...

Download phpCAS from JASIG CAS website or click on this [url=https://wiki.jasig.org/display/CASC/phpCAS]link[/url]

You can directly download the latest version on to your linux machine:

wget http://downloads.jasig.org/cas-clients/php/current/CAS-1.3.2.tgz

Now browse to the directory

cd /usr/share/php FOR CENTOS or
cd /usr/share/php5 for UBUNTU

Now run the above command to download the phpCAS

wget http://downloads.jasig.org/cas-clients/php/current/CAS-1.3.2.tgz

Extract the zip folder

tar -zxvf CAS-1.3.2.tgz

It will create a folder CAS-1.3.2

Now we have to include the folder path into our php.ini
FOR UBUNTU the location is

nano /etc/php5/apache2/php.ini

FOR CENTOS it is

nano /etc/php.ini

It will open the file for you to edit
Look for the line include_path
This what I have done in mine

include_path = "/usr/share/php"
This will read all the contents of this location and this is how you install phpCAS.

Now get the CAS client for MRBS from
http://sourceforge.net/p/mrbs/feature-requests/158/

Copy the contents of zip file in to your web diretory
For me it is /var/www/bookings/

Now edit the file cas_set.php with all the parameters specific to your organization:
Lines which should be changed:

$auth["admin"][] = "admin1"; // THIS IS THE ID FOR ADMIN ACCOUNTS REPLACE IT WITH > YOUR DESIRED USER IDs
$auth["admin"][] = "admin2";

Change the following line too

phpCAS::client(CAS_VERSION_2_0,'myschool.school.nz',443,'/sso');

Thats it. Now open the config file of MRBS

nano config.inc.php

Add the following line to include cas auth:

require_once "cas_set.php";

RESTART YOUR APACHE SERVER

service apache2 restart

All Done!

Hope this will help others.
Thanks to real author again.

Farzan
fqureshi@rosmini.school.nz

[Farzan Qureshi]

I THANK YOU REAL AUTHOR "PATRICK" FOR CREATING THIS PLUGIN. I HAVE DOCUMENTED THE STEPS FOR MY REFERENCE BUT IT MIGHT BE HELPFUL FOR OTHERS THUS I AM POSTING IT HERE...

Download phpCAS from JASIG CAS website or click on this [url=https://wiki.jasig.org/display/CASC/phpCAS]link[/url]

You can directly download the latest version on to your linux machine:

wget http://downloads.jasig.org/cas-clients/php/current/CAS-1.3.2.tgz

Now browse to the directory

cd /usr/share/php FOR CENTOS or
cd /usr/share/php5 for UBUNTU

Now run the above command to download the phpCAS

wget http://downloads.jasig.org/cas-clients/php/current/CAS-1.3.2.tgz

Extract the zip folder

tar -zxvf CAS-1.3.2.tgz

It will create a folder CAS-1.3.2

Now we have to include the folder path into our php.ini
FOR UBUNTU the location is

nano /etc/php5/apache2/php.ini

FOR CENTOS it is

nano /etc/php.ini

It will open the file for you to edit
Look for the line include_path
This what I have done in mine

include_path = "/usr/share/php"
This will read all the contents of this location and this is how you install phpCAS.

Now get the CAS client for MRBS from
http://sourceforge.net/p/mrbs/feature-requests/158/

Copy the contents of zip file in to your web diretory
For me it is /var/www/bookings/

Now edit the file cas_set.php with all the parameters specific to your organization:
Lines which should be changed:

$auth["admin"][] = "admin1"; // THIS IS THE ID FOR ADMIN ACCOUNTS REPLACE IT WITH > YOUR DESIRED USER IDs
$auth["admin"][] = "admin2";

Change the following line too

phpCAS::client(CAS_VERSION_2_0,'myschool.school.nz',443,'/sso');

Thats it. Now open the config file of MRBS

nano config.inc.php

Add the following line to include cas auth:

require_once "cas_set.php";

RESTART YOUR APACHE SERVER

service apache2 restart

All Done!

Hope this will help others.
Thanks to real author again.

Farzan
fqureshi@rosmini.school.nz

[Anonymous]

Do i need to copy the inc files in the maps where the other inc files are from mrbs ?

[Patrick McMorran]

You should just be able to drop them into the root MRBS directory alongside the other session and authentication handlers and they will become available. Then in the config file you just define cas. Note that you need to have PHPCAS installed on the web server for the plugin I made to work.

[Anonymous]

Ok (ty for the fast response) it seems to work, i putted the files in place and included cas_set.php in the config file.

Does i need to set also ?
//login systeem
$auth["type"]="cas";
Because it seems to work without it also ?

Now i got another problem , in my layout now there is on top of it login/log out and username? This is not in de menu bar of mrbs can you point me to the right direction in the code, i'm searching like nuts :D now

[Anonymous]

Found layout problem :)

[Hebus]

Hey Patrick,
I need to check if the person who check in is from the correct department.
The person can only login if the CAS attribute department = comwet .
How can i do this ?

[Anonymous]

It looks like it's on line 36,if (phpCAS::isAuthenticated() ..., i added
**and (phpCAS::getAttribute('department')=='*' and i still can log in even it is the wrong department ?

[Anonymous]

Com on, this is not a hard question i think :(
I altered line 36 from the cas-auth file

if (phpCAS::isAuthenticated() and (phpCAS::getAttribute('department')=='xxx' ...
When i, change xxx in a wrong value, i still can log in?
What i'm i missing here ?

[Patrick McMorran]

Sorry, I haven't had time to write a more robust version to include departments, however the issue is you would instead want to create an if statement that redirects people to the login page if their department does not match. The isAuthenticated() function redirects users to the CAS server. Thus if phpCAS::getAttribute('department')!='xxx' then redirect to an error page of sorts. When I find time I will try and write some logic into the auth file I made.

[Hebus]

i have done it like this for the moment on line 59: (in the aut_cas.inc file.)
* global $auth;
* $admins = $auth['admin'];
* // User not logged in, user level '0'
59 if (!isset($user) or phpCAS::getAttribute('department')!='XXX')
* {
* return 0;
* }

Users can login but can't add/edit bookings this way, not really elegant but it works, in anticipation of Patrick's edit.
btw. ty for clearing it out Patrick.

[Anonymous]

.

[Hebus]

I'm trying to expand the login filter but i'm stuck, my code line seems to work in a separate test page. But when i added it in mrbs i'm running into a problem .

i'm trying to expand my login code from above post.
I made an array in the config file for special users who are not in our department but may login. Logins need to be employee.

$special_user[]="A";
$special_user[]="B";

Then i changed the code on line 59 in auth_cas.inc into this.

global $auth;
$admins = $auth['admin'];
// User not logged in, user level '0'

if (!isset($user) 
or (phpCAS::getAttribute('department')!='PS01' and !in_array($user,$special_user) )
or (!in_array('ugentEmployee', (phpCAS::getAttribute('objectClass')) ) ) )

{
return 0;
}

So when the user "A" is not from department ps01 and he is an employee normally he should be able to login.
But it does not work.
"A" can login when he is from deparment "ps01" but when he is not, the special_user part does not seem to work.
Does somebody sees what i'm doing wrong ?

[Hebus]

Does this stil work for the 1.5 version .
I coppied the needed extra lines from my still working version into the new version and when i activate
require_once 'auth_cas/cas_set.php'; i get an error 500.

[Anonymous]

Hello..Please Help me with this error " Error: Internal script failure" ...I used phpCAS::forceAuthentication();

[Campbell Morrison]

CAS authentication has now been integrated into standard MRBS and will appear in the next release (whatever comes after MRBS 1.7.1). In the meantime you can download the latest snapshot of code from the default branch.

[Anonymous]

Hi!
I downloaded the latest snapshot of code and wanted to use CAS authentication. I edit the config.inc.php

$auth["type"] = "cas";
$auth["session"] = "cas";

// 'cas' configuration settings
$auth['cas']['host']    = 'login.xxx.xx';  // Full hostname of your CAS Server
$auth['cas']['port']    = 443;  // CAS server port (integer). Normally for a https server it's 443
$auth['cas']['context'] = '/xxp/xx/cas/'
$auth['cas']['no_server_validation'] = true;

but the CAS login page does not come up. The browser goes directly to mrb's page.

My old mrbs with CAS work well.
When I look at settings in cas_set.php in the old mrbs I see:

$ auth ['cas'] ['login_link'] = '? login =';
$ auth ['cas'] ['logout_link'] = '? logout =';

The question is if they are missing in the new one?

mvh
Jolt

[Campbell Morrison]

No, $auth['cas']['login_link'] and $ auth['cas']['logout_link'] aren't necessary in the new code. Did you download and install the complete snapshot, ie all the MRBS files?

Try turning on CAS debug:

$auth['cas']['debug'] = true;

[Anonymous]

Thanks for the reply
I downloaded the complete snapshot. The debug is true but it does not report any errors, neither apache error.

if I have:
$auth['cas']['no_server_validation'] = false;
then debug displays the error message:

phpCAS error: phpCAS::setCasServerCACert(): CAS_InvalidArgumentException: Certificate file does not exist CAS_Request_CurlRequest in /var/www/html/mrbs-cas/auth/auth_cas.inc on line 25

Thanks again
jolt

[Campbell Morrison]

Try adding the following, temporarily, to the bottom of internalconfig.inc.php to see if you get any clues in the browser:

error_reporting(-1);
ini_set('display_errors', '1');

[Anonymous]

It did not give much information. it complained about the language setting only.

E_USER_NOTICE in /var/www/html/mrbs-cas/language.inc at line 824
Server failed to set locale to utf8-

It seems that CAS authentication settings does not affect at all.

[Campbell Morrison]

I don't know what can be happening. If your CAS server is accessible over the internet and you are happy to let me access it then if you send me a PM with the details of $auth['cas']['host'] and $auth['cas']['context'] then I can see if I can work out what's going wrong. (I don't need a login - just need to be able to get as far as the login page). If that's a problem then I quite understand.