[OOD-users] Implementing authentication via CAS

Dockendorf, Trey tdockendorf at osc.edu
Mon Aug 20 11:47:45 EDT 2018 

Your auth lines look good, my previous email forgot the unset of Authorization header.  I don’t think AuthName will get used because that typically is what populates basic auth dialogue box.  Every time I’ve used CAS the request redirects to CAS login form so you won’t get the basic auth dialogue box.

- Trey

--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center

From: OOD-users <ood-users-bounces at lists.osc.edu> on behalf of "E.M. Dragowsky" <dragowsky at case.edu>
Reply-To: User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Date: Monday, August 20, 2018 at 11:45 AM
To: User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Subject: Re: [OOD-users] Implementing authentication via CAS

Ah...a simple resolution:  In ood_portal.yml, the 'servername' field requires specifying a public IP, which I had inadvertently not supplied.
So for our site, authentication using CAS is working, and it seems reasonably straightforward to configure. If anyone can review what I've done, I'm open to receiving critiques:
ood_portal.yml
servername: [public-ip-name]

auth:
  - 'AuthType CAS'
  - 'AuthName "Private"'
  - 'RequestHeader unset Authorization'
  - 'Require valid-user'
/opt/rh/httpd24/root/etc/httpd/conf.d/cas.conf
LoadModule auth_cas_module /opt/rh/httpd24/root/etc/httpd/modules/mod_auth_cas.so
CASLoginURL [local-login-url]
CASValidateURL [local-validate-url]
CASCertificatePath /opt/rh/httpd24/root/etc/httpd/cas-cert/ca-certificate.crt
CASDebug On
CASCookiePath /opt/rh/httpd24/root/etc/httpd/run/cookie/
Cheers
~ Em

On Mon, Aug 20, 2018 at 10:27 AM, E.M. Dragowsky <dragowsky at case.edu<mailto:dragowsky at case.edu>> wrote:
In reviewing the differences between ood-portal.conf in the successful test case, and the 'standard' configuration, the meaningful differences are few:

< <VirtualHost [host-public-ip]:80>
---
> <VirtualHost *:80>
87c87
<     AuthType CAS
---
>     AuthType Basic
89c89
<     #AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"
---
>     AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"
Only setting the VIrtualHost through ood_config.yml is unclear -- the other two values are somewhat documented in the code. I tried to set the public IP using the 'servername' keyword, and then also 'virtualhost', and in both cases the result was 'VIrtualHost *:80'

Thanks

On Fri, Aug 17, 2018 at 4:45 PM, E.M. Dragowsky <dragowsky at case.edu<mailto:dragowsky at case.edu>> wrote:
Greetings --
Is anyone able to provide guidance on editing ood_portal.yml to support CAS authentication?  I tried a few ideas that did not work, based on our implementation test outlined below -- which provided a successful test.
Thanks in advance
=-=-=-=-=
We have implemented CAS through a download and build of mod_auth_cas from this repo:  https://github.com/apereo/mod_auth_cas. The service was configured in the system, and then we made ad-hoc edits to the existing ood configuration in /opt/rh/httpd24/root/etc/httpd/conf.d to verify that the service would recognize OoD.
This was realized through direct edit of the ood-portal.conf, and by creating a cas.conf file in /opt/rh/httpd24/root/etc/httpd/conf.d






--
E.M. Dragowsky, Ph.D.
Research Computing -- UTech
Case Western Reserve University
(216) 368-0082



--
E.M. Dragowsky, Ph.D.
Research Computing -- UTech
Case Western Reserve University
(216) 368-0082



--
E.M. Dragowsky, Ph.D.
Research Computing -- UTech
Case Western Reserve University
(216) 368-0082
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/ood-users/attachments/20180820/b7330852/attachment-0001.html>

More information about the OOD-users mailing list