CAS

After going over CAS and LDAP, I thought I would do an example where both are used together. I have some software like this, it allows users to log in and then LDAP can go and get their full name. The example is mostly the CAS example with some LDAP added on. All I did was add on the LDAP code into the section where a user is logged into CAS. I use CAS to get the username of the user and feed it into LDAP. Below is the new index of the CAS example, nothing else is changed:

<?PHP
//Dan Berkowitz LDAP tutorial, May 2013, Buildingtents.com

include_once(“./CAS-1.3.2/CAS.php”);
phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
// SSL!
phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

if (phpCAS::isAuthenticated())
{

$LDAPCON = ldap_connect(“ldap.rpi.edu”); //Have to be internal to VCC or VCC firewall will block
$LDAPBIND = ldap_bind($LDAPCON);
$ResultArray = Array();
$filterArray = array(“givenname”, “sn”);
$LDAPSEARCH = ldap_search($LDAPCON, “dc=rpi, dc=edu”, “(uid=” . phpCAS::getUser() . “)”, $filterArray, 0 , 10);
$LDAPRESULTS = ldap_get_entries($LDAPCON, $LDAPSEARCH);
//print_r($LDAPRESULTS);
for ($i = 0; $i < $LDAPRESULTS[“count”]; $i++)
{
$tempRow = Array();
array_push($tempRow, $LDAPRESULTS[$i][“givenname”][0]);
array_push($tempRow, $LDAPRESULTS[$i][“sn”][0]);
array_push($ResultArray, $tempRow);
}
ldap_close($LDAPCON);

echo “User:” . phpCAS::getUser();
if (sizeof($ResultArray) == 1)
{
echo ” ” . $ResultArray[0][0] . ” ” . $ResultArray[0][1];
}
echo “<a href=’./logout.php’>Logout</a>”;
}else{
echo “<a href=’./login.php’>Login</a>”;
}

Download: https://github.com/daberkow/daberkow.github.io/blob/master/CASExample.zip

After much tinkering with RPI’s CAS (Central Authentication System) in PHP, I thought I would put together a guide to make it easy for anyone to put together a site that uses it. This would work for anyone at another location with a CAS server, but this example is for RPI.

Get the CAS Library
- https://wiki.jasig.org/display/CASC/phpCAS
Download the tar file under “Current Version”
Extract the contents, using a program such as 7-Zip, and put it in the root of whatever web folder you want
Download the latest CA bundle for SSL
- http://curl.haxx.se/docs/caextract.html
- Download “cacert.pem”, and put it in root of web project
Create a index.php, login.php, logout.php
The index has to load the library, check if the user is logged in, then print out text.
- <?PHP
  
  include_once(“./CAS-1.3.2/CAS.php”);
  phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
  // SSL!
  phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file
  
  if (phpCAS::isAuthenticated())
  {
  echo “User:” . phpCAS::getUser();
  echo “<a href=’./logout.php’>Logout</a>”;
  }else{
  echo “<a href=’./login.php’>Login</a>”;
  }
  
  ?>
- First we load the library for CAS from the subfolder
- Then we select which will be our central server
- We have to select our ca bundle, setCasServerCert does this
- Now we have fully loaded and configured the library
- Finally, I can ask CAS if a user has logged in, if so writeout some options, if not others
This is the login page
- <?PHP
  
  include_once(“./CAS-1.3.2/CAS.php”);
  phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
  // SSL!
  phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file
  
  if (!phpCAS::isAuthenticated())
  {
  phpCAS::forceAuthentication();
  }else{
  header(‘location: ./index.php’);
  }
  
  ?>
- Similar setup of authentication as before
- Now we check if the user is NOT authenticated, if the user is not authenticated we force login
- If the user already is logged in, then we redirect to the index
The logout page:
- <?PHP
  
  include_once(“./CAS-1.3.2/CAS.php”);
  phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
  // SSL!
  phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file
  
  if (phpCAS::isAuthenticated())
  {
  phpCAS::logout();
  }else{
  header(‘location: ./index.php’);
  }
  
  ?>
- Same configuration (this can be done by including a core file that everything else calls, but for this example I wanted to keep it simple)
- If they are not logged in, then we push the user back to login

That is the basic configuration, the example is available for download below. If there are any questions feel free to post a comment.

Download: https://github.com/daberkow/daberkow.github.io/blob/master/CASExample.zip

Extra Notes:

If you want to save server space, the docs folder under the CAS folder can be removed
I have ran into problems with CAS on a Windows Apache server, and CAS on a Linux Apache server reference the CACert.pem file differently
- One example of CAS on Windows is the timetracker software
- One example of CAS on Linux is QuickLogs

BuildingTents

Giving the campers something to read while they guard the flag

Combining CAS and LDAP

RPI phpCAS Authentication Tutorial