[OOD-users] OOD-users Digest, Vol 9, Issue 1 <Re: CAS authentication (Benjamin Evans)>

Nicklas, Jeremy jnicklas at osc.edu
Thu Nov 2 11:02:41 EDT 2017 

Thanks so much Ping for responding to this as we currently do not have as much experience with CAS here. Although I want to extend on a few of the points you mentioned:

3) I'd recommend creating a new file called:

/opt/rh/httpd24/root/etc/httpd/conf.modules.d/cas.conf

instead of modifying the "00-base.conf". As I am not sure if future updates of httpd24 will overwrite your changes.

4a) I'd also recommend you add those CAS* lines to a separate file called:

/opt/rh/httpd24/root/etc/httpd/conf.d/10-auth_cas.conf

There are two reasons for this:

- there is no guarantee that "ood-portal.conf" will never be overwritten, in fact we intend on writing over it in future Open OnDemand updates
- Apache loads the *.conf files in alphabetical order, so you will need to name your CAS conf file such that it loads before the "ood-portal.conf"

And you may want to set stricter permissions in case there is any private information in there:

sudo chmod 640 /opt/rh/httpd24/root/etc/httpd/conf.d/10-auth_cas.conf

4b) Again, you do not want to directly edit "ood-portal.conf". This file is generated and maintained by the "ood-portal-generator" tool:

https://github.com/OSC/ood-portal-generator/

It reads a YAML configuration file to generate the "ood-portal.conf". This allows us to provide updates to the Apache config without breaking any custom configuration that is required by the center.

You should probably already have a "config.yml" (always backup this file) that you used previously for the ood-portal-generator when installing OOD that allowed you to add SSL support and maybe LDAP authentication. You can most likely find it at:

~/src/ood/ood-portal-generator/config.yml

Again, back up this file as we may be moving this somewhere under /etc/ood/config/ in the near-future so that there is a well-defined location for this configuration file instead of being in someone's home directory.

For now lets do:

cd ~/src/ood/ood-portal-generator

Edit the "config.yml", in particular look for the "auth:" option, and modify it so it now looks like:

auth:
  - 'AuthType CAS'
  - 'Require valid-user'

Then you will build the new "ood-portal.conf" and install it in the root location:

scl enable rh-ruby22 -- rake
sudo scl enable rh-ruby22 -- rake install

Then restart Apache:

# For CentOS 6
sudo service httpd24-httpd restart

# For CentOS 7
sudo systemctl restart httpd24-httpd

I would like to possibly play with this in the future so that I can formalize the documentation on getting CAS working with an OOD portal. Feel free to ask if you may have any other questions.

Jeremy Nicklas
Web and Interface App Engineer
Ohio Supercomputer Center (OSC)<https://osc.edu/>
A member of the Ohio Technology Consortium<https://oh-tech.org/>
1224 Kinnear Road, Columbus, Ohio 43212
Office: (614) 292-6739<tel:+16142926739> • Mobile: (614) 316-6428<tel:+16143166428> • Fax: (614) 292-7168<tel:+16142927168>
jnicklas at osc.edu<mailto:jnicklas at osc.edu>

Learn more about OSC at https://osc.edu<https://osc.edu/>
________________________________
From: OOD-users [ood-users-bounces+jnicklas=osc.edu at lists.osc.edu] on behalf of Ping Luo [luop0812 at gmail.com]
Sent: Thursday, November 02, 2017 9:52 AM
To: ood-users at lists.osc.edu
Subject: Re: [OOD-users] OOD-users Digest, Vol 9, Issue 1 <Re: CAS authentication (Benjamin Evans)>

Benjamin,

Our OOD server is configured with CAS. This is how we do it.

1. download the patched CAS source code from

https://github.com/klausdieterkrannich/mod_auth_cas


2. build auth_cas_module for apache

autoreconfig
./configure --prefix=/opt/rh/httpd24/root/etc/httpd/modules --with-apxs=/opt/rh/httpd24/root/usr/bin/apxs --with-apr=/opt/rh/httpd24/root/usr/bin/apr-1-config
make install

3.  configure /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-base.conf to load the module

LoadModule auth_cas_module modules/mod_auth_cas.so


4. modify /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf

Add these lines to the outside of the virtual host

CASCookiePath      /opt/rh/httpd24/root/etc/httpd/mod_auth_cas/
CASLoginURL        Your_CAS_login_URL
CASValidateURL     Your_CAS_validate_URL
CASCertificatePath /opt/rh/httpd24/root/etc/httpd/certs
<VirtualHost *.443>
...
</VirtualHost>

And modify the two locations as follows:

<Location "/pun">
#   AuthType Basic
#   AuthName "Private"
#   AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"
    AuthType CAS
...
</Location>

<Location "/nginx">
#   AuthType Basic
#   AuthName "Private"
#   AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"
    AuthType CAS
...
</Location>


Hope you will find the above instructions useful.

Ping

On Wed, Nov 1, 2017 at 11:03 AM, <ood-users-request at lists.osc.edu<mailto:ood-users-request at lists.osc.edu>> wrote:
Send OOD-users mailing list submissions to
        ood-users at lists.osc.edu<mailto:ood-users at lists.osc.edu>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.osu.edu/mailman/listinfo/ood-users
or, via email, send a message with subject or body 'help' to
        ood-users-request at lists.osc.edu<mailto:ood-users-request at lists.osc.edu>

You can reach the person managing the list at
        ood-users-owner at lists.osc.edu<mailto:ood-users-owner at lists.osc.edu>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OOD-users digest..."


Today's Topics:

   1. CAS authentication (Benjamin Evans)


----------------------------------------------------------------------

Message: 1
Date: Tue, 31 Oct 2017 14:38:41 -0400
From: Benjamin Evans <b.evans at yale.edu<mailto:b.evans at yale.edu>>
To: ood-users at lists.osc.edu<mailto:ood-users at lists.osc.edu>
Subject: [OOD-users] CAS authentication
Message-ID:
        <CAOVMLG5ztTWURaZB8i9Hh2QLXVoCi-F1x1CbuokgFox06ZQ=Rg at mail.gmail.com<mailto:Rg at mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"

Hello list,

I've gotten a test ood server running for one of our clusters and so far my
colleagues and I are quite happy. Out of laziness and an allergy to
duplication of work I wanted to ping this list to see if anyone had gotten
CAS authentication working. If not, is there is a good place to look in the
source to get started doing so? I'd love for whatever work we do to not go
to waste!

Cheers,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/ood-users/attachments/20171031/3221ee25/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
OOD-users mailing list
OOD-users at lists.osc.edu<mailto:OOD-users at lists.osc.edu>
https://lists.osu.edu/mailman/listinfo/ood-users


------------------------------

End of OOD-users Digest, Vol 9, Issue 1
***************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/ood-users/attachments/20171102/1e3f3b61/attachment-0001.html>

More information about the OOD-users mailing list