mod_auth_cas Installation and Configuration

Installation – RPM Package

  • Install the EPEL6 repository
    rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

    If you are running RHEL 5, you will have to install a different version of EPEL. Commands to install EPEL 5 as well as further documentation can be found at: https://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F

  • Now you will need to perform an installation via yum on mod_auth_cas
    yum install mod_auth_cas

    You will be prompted to install the package, select yes. You also may receive a warning regarding the importation of the EPEL GPG-KEY (similar to the one found below). Select yes when prompted.

    warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
    Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
    Importing GPG key 0x0608B895:
     Userid : EPEL (6) <epel@fedoraproject.org>
     Package: epel-release-6-8.noarch (installed)
     From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
    Is this ok [y/N]:
  • You will now need to create/update your mod_auth_cas configuration in Apache. The usual location for this file is /etc/httpd/conf.d/cas.conf, although it does not necessarily need to be found there.
    If you are having trouble locating this file, you can run the grep command below to help locate it.

    grep -ir "CASCertificatePath" /etc/httpd

    Once you have located the file, make sure that the following are specified:

    CASCookiePath       /var/cache/mod_auth_cas/
    CASCertificatePath  /etc/pki/tls/certs
    CASLoginURL         https://login.uconn.edu/cas/login
    CASValidateURL      https://login.uconn.edu/cas/serviceValidate
    CASProxyValidateURL https://login.uconn.edu/cas/proxyValidate
  • Apache will now have to be restarted for the changes to take effect.
    service httpd restart

Installation – Red Hat (source)

    1. Install prerequisite packages
      yum install gcc git httpd-devel libcurl-devel openssl-devel pcre-devel autoconf libtool redhat-rpm-config
    2. Setup workspace in /tmp and retrieve package. Add the proxy configuration command below if your server is in private space
      cd /tmp
      # Set proxy if you are in private address space
      export ALL_PROXY=proxy.uconn.edu:80
      git clone https://github.com/Jasig/mod_auth_cas.git
      cd mod_auth_cas
    3. Compile and install
      autoreconf -iv
      ./configure --with-apxs=/usr/bin/apxs
      make
      # If you see an error message like the following:
      # WARNING: 'aclocal-1.12' is missing on your system.
      # then run this command
      # cp -p /usr/bin/aclocal /usr/bin/aclocal-1.12; cp -p /usr/bin/automake /usr/bin/automake-1.12
      # and re-run 'make'. Remember to remove aclocal-1.12 and automake-1.2 when you're done
      make install
    4. Make cache directory
      mkdir /var/cache/mod_auth_cas
      chown apache:apache /var/cache/mod_auth_cas
    5. Install the CAS configuration file, shown here to /etc/httpd/conf.d/cas.conf
      LoadModule auth_cas_module modules/mod_auth_cas.so
      CASCookiePath /var/cache/mod_auth_cas/
      CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt
      CASLoginURL https://login.uconn.edu/cas/login
      CASValidateURL https://login.uconn.edu/cas/serviceValidate
      CASProxyValidateURL https://login.uconn.edu/cas/proxyValidate
    6. Restart Apache
      service httpd restart

Installation – Debian (source)

    1. Install prerequisite packages
      apt-get install apache2-dev libcurl4-openssl-dev dh-autoreconf
    2. Obtain the 1.0.9.1 release (or the most recent release) from Github via the link below. Transfer the compressed (.zip/tar.gz) to your server.
      https://github.com/Jasig/mod_auth_cas/releases/tag/v1.0.9.1
    3. Create a working directory, and unpack the zip
    4. Remove the previous installation of mod_auth_cas
      apt-get remove libapache2-mod-auth-cas
    5. Compile and install
      autoreconf -iv 
      ./configure --with-apxs=/usr/bin/apxs2 
      make  
      make install
    6. Create a directory to be used as a cache
      mkdir /var/cache/apache2/mod_auth_cas; chown www-data:www-data /var/cache/apache2/mod_auth_cas/
    7. Create/edit the CAS configuration file (add the configuration below) in /etc/apache2/mods-available/auth_cas.conf
      <IfModule !mod_auth_cas.c>
          LoadModule          auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
      </IfModule>
      CASCookiePath       /var/cache/apache2/mod_auth_cas/
      CASLoginURL         https://login.uconn.edu/cas/login
      CASValidateURL      https://login.uconn.edu/cas/serviceValidate
      CASProxyValidateURL https://login.uconn.edu/cas/proxyValidate
      CASCertificatePath  /etc/ssl/certs
      CASIdleTimeout 14400
      CASTimeout 14400
      
    8. Apache will now have to be restarted for the changes to take effect.
      service apache2 restart
    9. Clean up any source files. You can safely delete the directory with the mod_auth_cas source if you desire

Configuration

To configure mod_auth_cas to protect your site or a specific directory, you will add the following to your site’s VirtualHost:

AuthType CAS
require user abc12345

If you would like to specify that any user can log into a site, you would add the following:

AuthType CAS
require valid-user

Once you have your configuration setup, you will have to restart Apache to have changes take effect. This configuration can also be placed in .htaccess and will take effect without a restart of Apache.