godfat-rubycas-server 0.8.0.20090918
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.txt +1 -0
- data/History.txt +273 -0
- data/LICENSE.txt +504 -0
- data/Manifest.txt +83 -0
- data/PostInstall.txt +3 -0
- data/README.rdoc +26 -0
- data/Rakefile +115 -0
- data/bin/rubycas-server +13 -0
- data/bin/rubycas-server-ctl +9 -0
- data/config.example.yml +555 -0
- data/config.ru +38 -0
- data/config/hoe.rb +78 -0
- data/config/requirements.rb +15 -0
- data/custom_views.example.rb +11 -0
- data/lib/casserver.rb +58 -0
- data/lib/casserver/authenticators/active_directory_ldap.rb +11 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/aes256.rb +43 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/bcrypt.rb +92 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/md5.rb +34 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/sha1.rb +35 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/sha512.rb +50 -0
- data/lib/casserver/authenticators/base.rb +48 -0
- data/lib/casserver/authenticators/client_certificate.rb +46 -0
- data/lib/casserver/authenticators/google.rb +54 -0
- data/lib/casserver/authenticators/ldap.rb +147 -0
- data/lib/casserver/authenticators/ntlm.rb +88 -0
- data/lib/casserver/authenticators/open_id.rb +22 -0
- data/lib/casserver/authenticators/sql.rb +119 -0
- data/lib/casserver/authenticators/sql_authlogic.rb +92 -0
- data/lib/casserver/authenticators/sql_encrypted.rb +92 -0
- data/lib/casserver/authenticators/sql_md5.rb +19 -0
- data/lib/casserver/authenticators/sql_rest_auth.rb +71 -0
- data/lib/casserver/authenticators/test.rb +19 -0
- data/lib/casserver/cas.rb +322 -0
- data/lib/casserver/conf.rb +75 -0
- data/lib/casserver/controllers.rb +463 -0
- data/lib/casserver/load_picnic.rb +19 -0
- data/lib/casserver/localization.rb +82 -0
- data/lib/casserver/models.rb +265 -0
- data/lib/casserver/postambles.rb +174 -0
- data/lib/casserver/utils.rb +30 -0
- data/lib/casserver/version.rb +9 -0
- data/lib/casserver/views.rb +249 -0
- data/lib/rubycas-server.rb +1 -0
- data/lib/rubycas-server/version.rb +1 -0
- data/po/de_DE/rubycas-server.po +119 -0
- data/po/es_ES/rubycas-server.po +115 -0
- data/po/fr_FR/rubycas-server.po +116 -0
- data/po/ja_JP/rubycas-server.po +118 -0
- data/po/pl_PL/rubycas-server.po +115 -0
- data/po/pt_BR/rubycas-server.po +115 -0
- data/po/ru_RU/rubycas-server.po +110 -0
- data/po/rubycas-server.pot +104 -0
- data/public/themes/cas.css +121 -0
- data/public/themes/notice.png +0 -0
- data/public/themes/ok.png +0 -0
- data/public/themes/simple/bg.png +0 -0
- data/public/themes/simple/login_box_bg.png +0 -0
- data/public/themes/simple/logo.png +0 -0
- data/public/themes/simple/theme.css +28 -0
- data/public/themes/urbacon/bg.png +0 -0
- data/public/themes/urbacon/login_box_bg.png +0 -0
- data/public/themes/urbacon/logo.png +0 -0
- data/public/themes/urbacon/theme.css +33 -0
- data/public/themes/warning.png +0 -0
- data/resources/init.d.sh +58 -0
- data/script/console +10 -0
- data/script/destroy +14 -0
- data/script/generate +14 -0
- data/script/txt2html +82 -0
- data/setup.rb +1585 -0
- data/tasks/deployment.rake +34 -0
- data/tasks/environment.rake +7 -0
- data/tasks/localization.rake +11 -0
- data/tasks/website.rake +17 -0
- data/vendor/isaac_0.9.1/LICENSE +26 -0
- data/vendor/isaac_0.9.1/README +78 -0
- data/vendor/isaac_0.9.1/TODO +3 -0
- data/vendor/isaac_0.9.1/VERSIONS +3 -0
- data/vendor/isaac_0.9.1/crypt/ISAAC.rb +171 -0
- data/vendor/isaac_0.9.1/isaac.gemspec +39 -0
- data/vendor/isaac_0.9.1/setup.rb +596 -0
- data/vendor/isaac_0.9.1/test/TC_ISAAC.rb +76 -0
- metadata +200 -0
data/Manifest.txt
ADDED
@@ -0,0 +1,83 @@
|
|
1
|
+
CHANGELOG.txt
|
2
|
+
History.txt
|
3
|
+
LICENSE.txt
|
4
|
+
Manifest.txt
|
5
|
+
PostInstall.txt
|
6
|
+
README.rdoc
|
7
|
+
Rakefile
|
8
|
+
bin/rubycas-server
|
9
|
+
bin/rubycas-server-ctl
|
10
|
+
config.example.yml
|
11
|
+
config.ru
|
12
|
+
config/hoe.rb
|
13
|
+
config/requirements.rb
|
14
|
+
custom_views.example.rb
|
15
|
+
lib/casserver.rb
|
16
|
+
lib/casserver/authenticators/active_directory_ldap.rb
|
17
|
+
lib/casserver/authenticators/base.rb
|
18
|
+
lib/casserver/authenticators/client_certificate.rb
|
19
|
+
lib/casserver/authenticators/google.rb
|
20
|
+
lib/casserver/authenticators/ldap.rb
|
21
|
+
lib/casserver/authenticators/ntlm.rb
|
22
|
+
lib/casserver/authenticators/open_id.rb
|
23
|
+
lib/casserver/authenticators/sql.rb
|
24
|
+
lib/casserver/authenticators/sql_encrypted.rb
|
25
|
+
lib/casserver/authenticators/sql_md5.rb
|
26
|
+
lib/casserver/authenticators/sql_rest_auth.rb
|
27
|
+
lib/casserver/authenticators/test.rb
|
28
|
+
lib/casserver/cas.rb
|
29
|
+
lib/casserver/conf.rb
|
30
|
+
lib/casserver/controllers.rb
|
31
|
+
lib/casserver/erb.rb
|
32
|
+
lib/casserver/load_picnic.rb
|
33
|
+
lib/casserver/localization.rb
|
34
|
+
lib/casserver/models.rb
|
35
|
+
lib/casserver/postambles.rb
|
36
|
+
lib/casserver/template/erb/layout.html.erb
|
37
|
+
lib/casserver/template/erb/login.html.erb
|
38
|
+
lib/casserver/template/erb/login_form.html.erb
|
39
|
+
lib/casserver/template/erb/logout.html.erb
|
40
|
+
lib/casserver/utils.rb
|
41
|
+
lib/casserver/version.rb
|
42
|
+
lib/casserver/views.rb
|
43
|
+
lib/rubycas-server.rb
|
44
|
+
lib/rubycas-server/version.rb
|
45
|
+
po/de_DE/rubycas-server.po
|
46
|
+
po/es_ES/rubycas-server.po
|
47
|
+
po/fr_FR/rubycas-server.po
|
48
|
+
po/ja_JP/rubycas-server.po
|
49
|
+
po/pl_PL/rubycas-server.po
|
50
|
+
po/pt_BR/rubycas-server.po
|
51
|
+
po/ru_RU/rubycas-server.po
|
52
|
+
po/rubycas-server.pot
|
53
|
+
public/themes/cas.css
|
54
|
+
public/themes/notice.png
|
55
|
+
public/themes/ok.png
|
56
|
+
public/themes/simple/bg.png
|
57
|
+
public/themes/simple/favicon.png
|
58
|
+
public/themes/simple/login_box_bg.png
|
59
|
+
public/themes/simple/logo.png
|
60
|
+
public/themes/simple/theme.css
|
61
|
+
public/themes/urbacon/bg.png
|
62
|
+
public/themes/urbacon/login_box_bg.png
|
63
|
+
public/themes/urbacon/logo.png
|
64
|
+
public/themes/urbacon/theme.css
|
65
|
+
public/themes/warning.png
|
66
|
+
resources/init.d.sh
|
67
|
+
script/console
|
68
|
+
script/destroy
|
69
|
+
script/generate
|
70
|
+
script/txt2html
|
71
|
+
setup.rb
|
72
|
+
tasks/deployment.rake
|
73
|
+
tasks/environment.rake
|
74
|
+
tasks/localization.rake
|
75
|
+
tasks/website.rake
|
76
|
+
vendor/isaac_0.9.1/LICENSE
|
77
|
+
vendor/isaac_0.9.1/README
|
78
|
+
vendor/isaac_0.9.1/TODO
|
79
|
+
vendor/isaac_0.9.1/VERSIONS
|
80
|
+
vendor/isaac_0.9.1/crypt/ISAAC.rb
|
81
|
+
vendor/isaac_0.9.1/isaac.gemspec
|
82
|
+
vendor/isaac_0.9.1/setup.rb
|
83
|
+
vendor/isaac_0.9.1/test/TC_ISAAC.rb
|
data/PostInstall.txt
ADDED
data/README.rdoc
ADDED
@@ -0,0 +1,26 @@
|
|
1
|
+
= RubyCAS-Server
|
2
|
+
|
3
|
+
*Copyright*:: Portions contributed by Matt Zukowski are copyright (c) 2008 Urbacon Ltd.
|
4
|
+
Other portions are copyright of their respective authors.
|
5
|
+
*Authors*:: See http://github.com/gunark/rubycas-server/commits/
|
6
|
+
*Homepage*:: http://rubycas-server.googlecode.com
|
7
|
+
|
8
|
+
For info and installation instructions please see http://code.google.com/p/rubycas-server
|
9
|
+
|
10
|
+
|
11
|
+
== License
|
12
|
+
|
13
|
+
RubyCAS-Server is free software; you can redistribute it and/or modify
|
14
|
+
it under the terms of the GNU Lesser General Public License as published
|
15
|
+
by the Free Software Foundation; either version 2 of the License, or
|
16
|
+
(at your option) any later version.
|
17
|
+
|
18
|
+
RubyCAS-Server is distributed in the hope that it will be useful,
|
19
|
+
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
20
|
+
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
21
|
+
GNU General Public License for more details.
|
22
|
+
|
23
|
+
You should have received a copy of the GNU Lesser General Public License
|
24
|
+
along with RubyCAS-Server; if not, write to the Free Software
|
25
|
+
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
26
|
+
|
data/Rakefile
ADDED
@@ -0,0 +1,115 @@
|
|
1
|
+
require 'config/requirements'
|
2
|
+
require 'config/hoe' # setup Hoe + all gem configuration
|
3
|
+
|
4
|
+
Dir['tasks/**/*.rake'].each { |rake| load rake }
|
5
|
+
|
6
|
+
desc "generate a self signed SSL certificate (in order to get going easily)"
|
7
|
+
task :generate_ssl_certificate do
|
8
|
+
`mkdir -p ssl/newcerts ssl/private`
|
9
|
+
File.open("ssl/openssl.cnf", "w") do |f|
|
10
|
+
f.write <<-EOF
|
11
|
+
#
|
12
|
+
# OpenSSL configuration file.
|
13
|
+
#
|
14
|
+
|
15
|
+
# Establish working directory.
|
16
|
+
|
17
|
+
dir = .
|
18
|
+
|
19
|
+
[ ca ]
|
20
|
+
default_ca = CA_default
|
21
|
+
|
22
|
+
[ CA_default ]
|
23
|
+
serial = $dir/serial
|
24
|
+
database = $dir/index.txt
|
25
|
+
new_certs_dir = $dir/newcerts
|
26
|
+
certificate = $dir/cacert.pem
|
27
|
+
private_key = $dir/private/cakey.pem
|
28
|
+
default_days = 365
|
29
|
+
default_md = md5
|
30
|
+
preserve = no
|
31
|
+
email_in_dn = no
|
32
|
+
nameopt = default_ca
|
33
|
+
certopt = default_ca
|
34
|
+
policy = policy_match
|
35
|
+
|
36
|
+
[ policy_match ]
|
37
|
+
countryName = match
|
38
|
+
stateOrProvinceName = match
|
39
|
+
organizationName = match
|
40
|
+
organizationalUnitName = optional
|
41
|
+
commonName = supplied
|
42
|
+
emailAddress = optional
|
43
|
+
|
44
|
+
[ req ]
|
45
|
+
default_bits = 1024 # Size of keys
|
46
|
+
default_keyfile = key.pem # name of generated keys
|
47
|
+
default_md = md5 # message digest algorithm
|
48
|
+
string_mask = nombstr # permitted characters
|
49
|
+
distinguished_name = req_distinguished_name
|
50
|
+
req_extensions = v3_req
|
51
|
+
|
52
|
+
[ req_distinguished_name ]
|
53
|
+
# Variable name Prompt string
|
54
|
+
#---------------------- ----------------------------------
|
55
|
+
0.organizationName = Organization Name (company)
|
56
|
+
organizationalUnitName = Organizational Unit Name (department, division)
|
57
|
+
emailAddress = Email Address
|
58
|
+
emailAddress_max = 40
|
59
|
+
localityName = Locality Name (city, district)
|
60
|
+
stateOrProvinceName = State or Province Name (full name)
|
61
|
+
countryName = Country Name (2 letter code)
|
62
|
+
countryName_min = 2
|
63
|
+
countryName_max = 2
|
64
|
+
commonName = Common Name (hostname, IP, or your name)
|
65
|
+
commonName_max = 64
|
66
|
+
|
67
|
+
# Default values for the above, for consistency and less typing.
|
68
|
+
# Variable name Value
|
69
|
+
#------------------------------ ------------------------------
|
70
|
+
0.organizationName_default = The Sample Company
|
71
|
+
localityName_default = Metropolis
|
72
|
+
stateOrProvinceName_default = New York
|
73
|
+
countryName_default = US
|
74
|
+
commonName_default = localhost
|
75
|
+
|
76
|
+
[ v3_ca ]
|
77
|
+
basicConstraints = CA:TRUE
|
78
|
+
subjectKeyIdentifier = hash
|
79
|
+
authorityKeyIdentifier = keyid:always,issuer:always
|
80
|
+
|
81
|
+
[ v3_req ]
|
82
|
+
basicConstraints = CA:FALSE
|
83
|
+
subjectKeyIdentifier = hash
|
84
|
+
EOF
|
85
|
+
end
|
86
|
+
|
87
|
+
`cd ssl && echo '01' > serial`
|
88
|
+
`cd ssl && touch index.txt`
|
89
|
+
|
90
|
+
puts
|
91
|
+
puts "When asked for a passphrase enter one, for example rubycas"
|
92
|
+
puts
|
93
|
+
|
94
|
+
`cd ssl && openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf`
|
95
|
+
`cd ssl && openssl req -new -nodes -out req.pem -config ./openssl.cnf`
|
96
|
+
`cd ssl && openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem`
|
97
|
+
|
98
|
+
|
99
|
+
|
100
|
+
|
101
|
+
puts
|
102
|
+
puts "If you are using Firefox and want to access the CAS server through localhost you need to add an exception:"
|
103
|
+
puts " 1. Go to Preferences > Advanced > Encryption > View Certificates"
|
104
|
+
puts " 2. Click the Tab Servers"
|
105
|
+
puts " 3. Click the Button Add Exception"
|
106
|
+
puts " 4. Enter https://localhost:<port> into the textfield and press Get Certificate"
|
107
|
+
puts " 5. Then press View"
|
108
|
+
puts " 6. Then press Confirm Security Exception"
|
109
|
+
|
110
|
+
end
|
111
|
+
|
112
|
+
desc "clear all generated files for SSL certificate"
|
113
|
+
task :clear_ssl_certificate do
|
114
|
+
`rm -rf ssl`
|
115
|
+
end
|
data/bin/rubycas-server
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require File.expand_path(File.dirname(__FILE__)+"/../lib/casserver/load_picnic")
|
4
|
+
|
5
|
+
require 'picnic/cli'
|
6
|
+
|
7
|
+
cli = Picnic::Cli.new(
|
8
|
+
'rubycas-server',
|
9
|
+
:app_module => 'CASServer',
|
10
|
+
:app_file => File.expand_path(File.dirname(__FILE__)+"/../lib/casserver.rb")
|
11
|
+
)
|
12
|
+
|
13
|
+
cli.handle_cli_input
|
data/config.example.yml
ADDED
@@ -0,0 +1,555 @@
|
|
1
|
+
# IMPORTANT NOTE ABOUT YAML CONFIGURATION FILES
|
2
|
+
# ---> Be sure to use spaces instead of tabs for indentation. YAML is
|
3
|
+
# white-space sensitive!
|
4
|
+
|
5
|
+
##### SERVER SETUP ################################################################
|
6
|
+
|
7
|
+
# There are several ways to run RubyCAS-Server:
|
8
|
+
#
|
9
|
+
# webrick -- stand-alone WEBrick server; should work out-of-the-box; this is
|
10
|
+
# the default method, but probably not suited for high-traffic usage
|
11
|
+
# mongrel -- stand-alone Mongrel server; fast, but you'll need to install
|
12
|
+
# and compile Mongrel and run it behind an https reverse proxy like
|
13
|
+
# Pound or Apache 2.2's mod_proxy (since Mongrel cannot serve out
|
14
|
+
# over SSL on its own).
|
15
|
+
# passenger -- served out by Apache via the mod_rails/mod_rack module
|
16
|
+
# (see http://www.modrails.com/)
|
17
|
+
#
|
18
|
+
# The following are exampe configurations for each of these three methods:
|
19
|
+
#
|
20
|
+
|
21
|
+
|
22
|
+
###
|
23
|
+
### WEBrick example
|
24
|
+
###
|
25
|
+
# WEBrick is a simple, all-Ruby web server. This is the easiest method for running
|
26
|
+
# RubyCAS-Server. All you need is an SSL certificate (enter its path under the
|
27
|
+
# ssl_cert option). WEBrick is fine for sites with low to medium traffic, but for
|
28
|
+
# high-performance scenarios you may want to look into deploying using Mongrel
|
29
|
+
# or Passenger.
|
30
|
+
|
31
|
+
server: webrick
|
32
|
+
port: 443
|
33
|
+
ssl_cert: /path/to/your/ssl.pem
|
34
|
+
|
35
|
+
# If your private key is in a separate file from the cert
|
36
|
+
|
37
|
+
#ssl_key: /path/to/your/private_key.pem
|
38
|
+
|
39
|
+
# If you do not already have an SSL certificate and would like to automatically
|
40
|
+
# generate one, run the "generate_ssl_certificate" rake task and use the following
|
41
|
+
# settings:
|
42
|
+
|
43
|
+
# ssl_cert: ssl/cert.pem
|
44
|
+
# ssl_key: ssl/key.pem
|
45
|
+
|
46
|
+
|
47
|
+
# By default the login page will be available at the root path
|
48
|
+
# (e.g. https://login.example.net/). The uri_path option lets you serve it from a
|
49
|
+
# different path (e.g. https://login.example.net/cas).
|
50
|
+
|
51
|
+
#uri_path: /cas
|
52
|
+
|
53
|
+
|
54
|
+
# This lets you bind the server to a specific address. Use 0.0.0.0 to listen on
|
55
|
+
# all available interfaces (this is the default).
|
56
|
+
|
57
|
+
#bind_address: 0.0.0.0
|
58
|
+
|
59
|
+
|
60
|
+
###
|
61
|
+
### Mongrel example
|
62
|
+
###
|
63
|
+
# Mongrel is much faster than WEBrick, but there are two caveats:
|
64
|
+
# 1. Since Mongrel can't serve out encrypted HTTP on its own (and CAS requires this),
|
65
|
+
# you will have to set up a reverse proxy like Pound or Apache's mod_proxy and
|
66
|
+
# route through it requests to the Mongrel server. So for example,
|
67
|
+
# your Pound server will receive all of the requests to RubyCAS-Server on port 443,
|
68
|
+
# and forward them to the Mongrel server listening on port 11011.
|
69
|
+
# 2. Some of Mongrel's components are compiled into native binaries, so if you are
|
70
|
+
# installing on Linux, make sure you have all of the standard build tools
|
71
|
+
# available. The binaries should be automatically compiled for you when you
|
72
|
+
# install the mogrel gem (if you're runnings Windows, pre-compiled
|
73
|
+
# binaries will be downloaded and installed, so don't worry about this).
|
74
|
+
|
75
|
+
#server: mongrel
|
76
|
+
#port: 11011
|
77
|
+
|
78
|
+
|
79
|
+
# Bind the server to a specific address. Use 0.0.0.0 to listen on all
|
80
|
+
# available interfaces (this is the default).
|
81
|
+
|
82
|
+
#bind_address: 0.0.0.0
|
83
|
+
|
84
|
+
### Reverse proxy configuration examples
|
85
|
+
# If you're using mod_proxy, your Apache vhost config should look something like this:
|
86
|
+
#
|
87
|
+
# Listen 443
|
88
|
+
# <VirtualHost *:443>
|
89
|
+
# ServerAdmin admin@example.net
|
90
|
+
# ServerName login.example.net
|
91
|
+
#
|
92
|
+
# SSLEngine On
|
93
|
+
# SSLCertificateFile /etc/apache2/ssl.crt/example.pem
|
94
|
+
#
|
95
|
+
# # Don't do forward proxying, we only want reverse proxying
|
96
|
+
# ProxyRequests Off
|
97
|
+
#
|
98
|
+
# <Proxy balancer://rubycas>
|
99
|
+
# Order allow,deny
|
100
|
+
# Allow from all
|
101
|
+
# BalancerMember http://127.0.0.1:11011
|
102
|
+
# </Proxy>
|
103
|
+
# </VirtualHost>
|
104
|
+
#
|
105
|
+
# For Pound, the config should be something like:
|
106
|
+
#
|
107
|
+
# ListenHTTPS
|
108
|
+
# Address 0.0.0.0
|
109
|
+
# Port 11011
|
110
|
+
# Cert "/etc/ssl/example.pem"
|
111
|
+
#
|
112
|
+
# Service
|
113
|
+
# BackEnd
|
114
|
+
# Address localhost
|
115
|
+
# Port 443
|
116
|
+
# End
|
117
|
+
# End
|
118
|
+
# End
|
119
|
+
|
120
|
+
|
121
|
+
###
|
122
|
+
### Phusion Passenger (running under Apache configured for SSL)
|
123
|
+
###
|
124
|
+
|
125
|
+
# No additional configuration is requried to run RubyCAS-Server under
|
126
|
+
# passsenger. Just follow the normal instructions for a Passenger app
|
127
|
+
# (see http://www.modrails.com/).
|
128
|
+
#
|
129
|
+
# Here's an example Apache vhost config for RubyCAS-Server and Passenger:
|
130
|
+
#
|
131
|
+
# Listen 443
|
132
|
+
# <VirtualHost *:442>
|
133
|
+
# ServerAdmin admin@example.net
|
134
|
+
# ServerName login.example.net
|
135
|
+
#
|
136
|
+
# SSLEngine On
|
137
|
+
# SSLCertificateFile /etc/apache2/ssl.crt/example.pem
|
138
|
+
#
|
139
|
+
# RailsAutoDetect off
|
140
|
+
#
|
141
|
+
# DocumentRoot /usr/lib/ruby/gems/1.8/gems/rubycas-server-0.8.0/public
|
142
|
+
#
|
143
|
+
# <Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-0.8.0/public">
|
144
|
+
# AllowOverride all
|
145
|
+
# Allow from all
|
146
|
+
# </Directory>
|
147
|
+
# </VirtualHost>
|
148
|
+
#
|
149
|
+
|
150
|
+
|
151
|
+
##### DATABASE #################################################################
|
152
|
+
|
153
|
+
# Set up the database connection. Make sure that this database is secure!
|
154
|
+
#
|
155
|
+
# By default, we use MySQL, since it is widely used and does not require any
|
156
|
+
# additional
|
157
|
+
# ruby libraries besides ActiveRecord.
|
158
|
+
#
|
159
|
+
# With MySQL, your config would be something like the following:
|
160
|
+
# (be sure to create the casserver database in MySQL beforehand,
|
161
|
+
# i.e. `mysqladmin -u root create casserver`)
|
162
|
+
|
163
|
+
database:
|
164
|
+
adapter: mysql
|
165
|
+
database: casserver
|
166
|
+
username: root
|
167
|
+
password:
|
168
|
+
host: localhost
|
169
|
+
|
170
|
+
|
171
|
+
#
|
172
|
+
# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else
|
173
|
+
# supported by ActiveRecord.
|
174
|
+
#
|
175
|
+
# With SQLite3 (which does not require a separate database server), your
|
176
|
+
# configuration would look something like the following (don't forget to install
|
177
|
+
# the sqlite3-ruby gem beforehand!):
|
178
|
+
|
179
|
+
#database:
|
180
|
+
# adapter: sqlite3
|
181
|
+
# dbfile: /var/lib/casserver.db
|
182
|
+
|
183
|
+
|
184
|
+
##### AUTHENTICATION ###########################################################
|
185
|
+
|
186
|
+
# Configure how username/passwords are validated.
|
187
|
+
#
|
188
|
+
# !!! YOU MUST CONFIGURE AT LEAST ONE OF THESE AUTHENTICATION METHODS !!!
|
189
|
+
#
|
190
|
+
# There are several built-in methods for authentication:
|
191
|
+
# SQL, ActiveDirectory, LDAP, and GoogleAccounts. If none of these work for you,
|
192
|
+
# it is relatively easy to write your own custom Authenticator class (see below).
|
193
|
+
#
|
194
|
+
# === SQL Authentication =======================================================
|
195
|
+
#
|
196
|
+
# The simplest method is to validate against a SQL database. This assumes
|
197
|
+
# that all of your users are stored in a table that has a 'username' column
|
198
|
+
# and a 'password' column. When the user logs in, CAS connects to this database
|
199
|
+
# and looks for a matching username/password in the users table. If a matching
|
200
|
+
# username and password is found, authentication is successful.
|
201
|
+
#
|
202
|
+
# If you prefer to have your passwords stored in an encrypted form, have a
|
203
|
+
# look at the SQLEncrypted authenticator:
|
204
|
+
# http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
|
205
|
+
#
|
206
|
+
# If your users table stores passwords with MD5 hashing (for example as with
|
207
|
+
# Drupal) try using the SQLMd5 version of the SQL authenticator.
|
208
|
+
#
|
209
|
+
# Example:
|
210
|
+
#
|
211
|
+
#authenticator:
|
212
|
+
# class: CASServer::Authenticators::SQL
|
213
|
+
# database:
|
214
|
+
# adapter: mysql
|
215
|
+
# database: some_database_with_users_table
|
216
|
+
# username: root
|
217
|
+
# password:
|
218
|
+
# host: localhost
|
219
|
+
# user_table: users
|
220
|
+
# username_column: username
|
221
|
+
# password_column: password
|
222
|
+
#
|
223
|
+
# When replying to a CAS client's validation request, the server will normally
|
224
|
+
# provide the client with the authenticated user's username. However it is
|
225
|
+
# possible for the server to provide the client with additional attributes.
|
226
|
+
# You can configure the SQL authenticator to provide data from additional
|
227
|
+
# columns in the users table by listing the names of the columns under the
|
228
|
+
# 'extra_attributes' option. Note though that this functionality is experimental.
|
229
|
+
# It should work with RubyCAS-Client, but may or may not work with other CAS
|
230
|
+
# clients.
|
231
|
+
#
|
232
|
+
# For example, with this configuration, the 'full_name' and 'access_level'
|
233
|
+
# columns will be provided to your CAS clients along with the username:
|
234
|
+
#
|
235
|
+
#authenticator:
|
236
|
+
# class: CASServer::Authenticators::SQL
|
237
|
+
# database:
|
238
|
+
# adapter: mysql
|
239
|
+
# database: some_database_with_users_table
|
240
|
+
# user_table: users
|
241
|
+
# username_column: username
|
242
|
+
# password_column: password
|
243
|
+
# extra_attributes: full_name, access_level
|
244
|
+
#
|
245
|
+
#
|
246
|
+
# === Google Authentication ====================================================
|
247
|
+
#
|
248
|
+
# The Google authenticator allows users to log in to your CAS server using
|
249
|
+
# their Google account credentials (i.e. the same email and password they
|
250
|
+
# would use to log in to Google services like Gmail). This authenticator
|
251
|
+
# requires no special configuration -- just specify its class name:
|
252
|
+
#
|
253
|
+
#authenticator:
|
254
|
+
# class: CASServer::Authenticators::Google
|
255
|
+
#
|
256
|
+
# Note that as with all authenticators, it is possible to use the Google
|
257
|
+
# authenticator alongside other authenticators. For example, CAS can first
|
258
|
+
# attempt to validate the account with Google, and if that fails, fall back
|
259
|
+
# to some other local authentication mechanism.
|
260
|
+
#
|
261
|
+
# For example:
|
262
|
+
#
|
263
|
+
#authenticator:
|
264
|
+
# - class: CASServer::Authenticators::Google
|
265
|
+
# - class: CASServer::Authenticators::SQL
|
266
|
+
# database:
|
267
|
+
# adapter: mysql
|
268
|
+
# database: some_database_with_users_table
|
269
|
+
# user: root
|
270
|
+
# password:
|
271
|
+
# host: localhost
|
272
|
+
# user_table: user
|
273
|
+
# username_column: username
|
274
|
+
# password_column: password
|
275
|
+
#
|
276
|
+
#
|
277
|
+
# === ActiveDirectory Authentication ===========================================
|
278
|
+
#
|
279
|
+
# This method authenticates against Microsoft's Active Directory using LDAP.
|
280
|
+
# You must configure the ActiveDirectory server, and base DN. The port number
|
281
|
+
# and LDAP filter are optional. You must also enter a CN and password
|
282
|
+
# for a special "authenticator" user. This account is used to log in to
|
283
|
+
# the ActiveDirectory server and search LDAP. This does not have to be an
|
284
|
+
# administrative account -- it only has to be able to search for other
|
285
|
+
# users.
|
286
|
+
#
|
287
|
+
# Note that the auth_user parameter must be the user's CN (Common Name).
|
288
|
+
# In Active Directory, the CN is genarally the user's full name, which is usually
|
289
|
+
# NOT the same as their username (sAMAccountName).
|
290
|
+
#
|
291
|
+
# For example:
|
292
|
+
#
|
293
|
+
#authenticator:
|
294
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
295
|
+
# ldap:
|
296
|
+
# host: ad.example.net
|
297
|
+
# port: 389
|
298
|
+
# base: dc=example,dc=net
|
299
|
+
# filter: (objectClass=person)
|
300
|
+
# auth_user: authenticator
|
301
|
+
# auth_password: itsasecret
|
302
|
+
#
|
303
|
+
# A more complicated example, where the authenticator will use TLS encryption,
|
304
|
+
# will ignore users with disabled accounts, and will pass on the 'cn' and 'mail'
|
305
|
+
# attributes to CAS clients:
|
306
|
+
#
|
307
|
+
#authenticator:
|
308
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
309
|
+
# ldap:
|
310
|
+
# host: ad.example.net
|
311
|
+
# port: 636
|
312
|
+
# base: dc=example,dc=net
|
313
|
+
# filter: (objectClass=person) & !(msExchHideFromAddressLists=TRUE)
|
314
|
+
# auth_user: authenticator
|
315
|
+
# auth_password: itsasecret
|
316
|
+
# encryption: simple_tls
|
317
|
+
# extra_attributes: cn, mail
|
318
|
+
#
|
319
|
+
# It is possible to authenticate against Active Directory without the
|
320
|
+
# authenticator user, but this requires that users type in their CN as
|
321
|
+
# the username rather than typing in their sAMAccountName. In other words
|
322
|
+
# users will likely have to authenticate by typing their full name,
|
323
|
+
# rather than their username. If you prefer to do this, then just
|
324
|
+
# omit the auth_user and auth_password values in the above example.
|
325
|
+
#
|
326
|
+
#
|
327
|
+
# === LDAP Authentication ======================================================
|
328
|
+
#
|
329
|
+
# This is a more general version of the ActiveDirectory authenticator.
|
330
|
+
# The configuration is similar, except you don't need an authenticator
|
331
|
+
# username or password. The following example has been reported to work
|
332
|
+
# for a basic OpenLDAP setup.
|
333
|
+
#
|
334
|
+
#authenticator:
|
335
|
+
# class: CASServer::Authenticators::LDAP
|
336
|
+
# ldap:
|
337
|
+
# host: ldap.example.net
|
338
|
+
# port: 389
|
339
|
+
# base: dc=example,dc=net
|
340
|
+
# username_attribute: uid
|
341
|
+
# filter: (objectClass=person)
|
342
|
+
#
|
343
|
+
# If you need more secure connections via TSL, specify the 'encryption'
|
344
|
+
# option and change the port. This example also forces the authenticator
|
345
|
+
# to connect using a special "authenticator" user with the given
|
346
|
+
# username and password (see the ActiveDirectoryLDAP authenticator
|
347
|
+
# explanation above):
|
348
|
+
#
|
349
|
+
#authenticator:
|
350
|
+
# class: CASServer::Authenticators::LDAP
|
351
|
+
# ldap:
|
352
|
+
# host: ldap.example.net
|
353
|
+
# port: 636
|
354
|
+
# base: dc=example,dc=net
|
355
|
+
# filter: (objectClass=person)
|
356
|
+
# encryption: simple_tls
|
357
|
+
# auth_user: cn=admin,dc=example,dc=net
|
358
|
+
# auth_password: secret
|
359
|
+
#
|
360
|
+
# If you need additional data about the user passed to the client (for example,
|
361
|
+
# their 'cn' and 'mail' attributes, you can specify the list of attributes
|
362
|
+
# under the extra_attributes config option:
|
363
|
+
#
|
364
|
+
#authenticator:
|
365
|
+
# class: CASServer::Authenticators::LDAP
|
366
|
+
# ldap:
|
367
|
+
# host: ldap.example.net
|
368
|
+
# port: 389
|
369
|
+
# base: dc=example,dc=net
|
370
|
+
# filter: (objectClass=person)
|
371
|
+
# extra_attributes: cn, mail
|
372
|
+
#
|
373
|
+
# Note that the above functionality is somewhat limited by client compatibility.
|
374
|
+
# See the SQL authenticator notes above for more info.
|
375
|
+
#
|
376
|
+
#
|
377
|
+
# === Custom Authentication ====================================================
|
378
|
+
#
|
379
|
+
# It should be relatively easy to write your own Authenticator class. Have a look
|
380
|
+
# at the built-in authenticators in the casserver/authenticators directory. Your
|
381
|
+
# authenticator should extend the CASServer::Authenticators::Base class and must
|
382
|
+
# implement a validate() method that takes a single hash argument. When the user
|
383
|
+
# submits the login form, the username and password they entered is passed to
|
384
|
+
# validate() as a hash under :username and :password keys. In the future, this
|
385
|
+
# hash might also contain other data such as the domain that the user is logging
|
386
|
+
# in to.
|
387
|
+
#
|
388
|
+
# To use your custom authenticator, specify it's class name and path to the
|
389
|
+
# source file in the authenticator section of the config. Any other parameters
|
390
|
+
# you specify in the authenticator configuration will be passed on to the
|
391
|
+
# authenticator and made availabe in the validate() method as an @options hash.
|
392
|
+
#
|
393
|
+
# Example:
|
394
|
+
#
|
395
|
+
#authenticator:
|
396
|
+
# class: FooModule::MyCustomAuthenticator
|
397
|
+
# source: /path/to/source.rb
|
398
|
+
# option_a: foo
|
399
|
+
# another_option: yeeha
|
400
|
+
#
|
401
|
+
# === Multiple Authenticators ==================================================
|
402
|
+
#
|
403
|
+
# If you need to have more than one source for authentication, such as an LDAP
|
404
|
+
# directory and a database, you can use multiple authenticators by making
|
405
|
+
# :authenticator an array of authenticators.
|
406
|
+
#
|
407
|
+
#authenticator:
|
408
|
+
# -
|
409
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
410
|
+
# ldap:
|
411
|
+
# host: ad.example.net
|
412
|
+
# port: 389
|
413
|
+
# base: dc=example,dc=net
|
414
|
+
# filter: (objectClass=person)
|
415
|
+
# -
|
416
|
+
# class: CASServer::Authenticators::SQL
|
417
|
+
# database:
|
418
|
+
# adapter: mysql
|
419
|
+
# database: some_database_with_users_table
|
420
|
+
# user: root
|
421
|
+
# password:
|
422
|
+
# host: localhost
|
423
|
+
# user_table: user
|
424
|
+
# username_column: username
|
425
|
+
# password_column: password
|
426
|
+
#
|
427
|
+
# During authentication, the user credentials will be checked against the first
|
428
|
+
# authenticator and on failure fall through to the second authenticator.
|
429
|
+
#
|
430
|
+
|
431
|
+
|
432
|
+
##### LOOK & FEEL ##############################################################
|
433
|
+
|
434
|
+
# Set the path to the theme directory that determines how your CAS pages look.
|
435
|
+
#
|
436
|
+
# Custom themes are not well supported yet, but will be in the near future. In
|
437
|
+
# the meantime, if you want to create a custom theme, you can create a
|
438
|
+
# subdirectory under the CASServer's themes dir (for example,
|
439
|
+
# '/usr/lib/ruby/1.8/gems/casserver-xxx/public/themes', if you installed CASServer
|
440
|
+
# on Linux as a gem). A theme is basically just a theme.css file that overrides
|
441
|
+
# the themes/cas.css styles along with a collection of image files
|
442
|
+
# like logo.png and bg.png.
|
443
|
+
#
|
444
|
+
# By default, we use the 'simple' theme which you can find in themes/simple.
|
445
|
+
theme: simple
|
446
|
+
|
447
|
+
# The name of your company/organization. This will show up on the login page.
|
448
|
+
organization: CAS
|
449
|
+
|
450
|
+
# A short bit of text that shows up on the login page. You can make this blank
|
451
|
+
# if you prefer to have no extra text shown at the bottom of the login box.
|
452
|
+
infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
|
453
|
+
|
454
|
+
# Custom views file. Overrides methodes in lib/casserver/views.rb
|
455
|
+
#custom_views_file: /path/to/custom/views.rb
|
456
|
+
|
457
|
+
# use erb for view template, see rubycas-server/lib/casserver/template/erb for example
|
458
|
+
# e.g. /usr/lib/ruby/gems/1.8/gems/rubycas-server-0.8.0/lib/casserver/template/erb
|
459
|
+
template_erb_dir:
|
460
|
+
|
461
|
+
##### LOCALIZATION (L10N) #######################################################
|
462
|
+
# The server will attempt to detect the user's locale and show text in the
|
463
|
+
# appropriate language based on:
|
464
|
+
#
|
465
|
+
# 1. The 'lang' URL parameter (if any)
|
466
|
+
# 2. The 'lang' cookie (if any)
|
467
|
+
# 3. The HTTP_ACCEPT_LANGUAGE header supplied by the user's browser.
|
468
|
+
# 4. The HTTP_USER_AGENT header supplied by the user's browser.
|
469
|
+
#
|
470
|
+
# If the locale cannot be established based on one of the above checks (in the
|
471
|
+
# shown order), then the below 'default_locale' option will be used.
|
472
|
+
#
|
473
|
+
# The format is the same as standard linux locales (langagecode_COUNTRYCODE):
|
474
|
+
#
|
475
|
+
# ru_RU - Russian, Russia
|
476
|
+
# eo_AQ - Esperanto, Antarctica
|
477
|
+
#
|
478
|
+
# It will also work if you leave out the region (i.e. just "ru" for Russian,
|
479
|
+
# "eo" for Esperanto).
|
480
|
+
#
|
481
|
+
# If you are interested in contributing new translations or have corrections
|
482
|
+
# to the existing translations, see
|
483
|
+
# http://code.google.com/p/rubycas-server/wiki/HowToContribueTranslations
|
484
|
+
#
|
485
|
+
default_locale: en
|
486
|
+
|
487
|
+
##### LOGGING ##################################################################
|
488
|
+
|
489
|
+
# Configure general logging. This log is where you'll want to look in case of
|
490
|
+
# problems.
|
491
|
+
#
|
492
|
+
# You may want to change the file to something like /var/log/casserver.log
|
493
|
+
# Set the level to DEBUG if you want more detailed logging.
|
494
|
+
|
495
|
+
log:
|
496
|
+
file: /var/log/casserver.log
|
497
|
+
level: INFO
|
498
|
+
|
499
|
+
|
500
|
+
# If you want full database logging, uncomment this next section.
|
501
|
+
# Every SQL query will be logged here. This is useful for debugging database
|
502
|
+
# problems.
|
503
|
+
#
|
504
|
+
#db_log:
|
505
|
+
# file: /var/log/casserver_db.log
|
506
|
+
|
507
|
+
|
508
|
+
##### SINGLE SIGN-OUT ##########################################################
|
509
|
+
|
510
|
+
# When a user logs in to a CAS-enabled client application, that application
|
511
|
+
# generally opens its own local user session. When the user then logs out
|
512
|
+
# through the CAS server, each of the CAS-enabled client applications need
|
513
|
+
# to be notified so that they can close their own local sessions for that user.
|
514
|
+
#
|
515
|
+
# Up until recently this was not possible within CAS. However, a method for
|
516
|
+
# performing this notification was recently added to the protocol (in CAS 3.1).
|
517
|
+
# This works exactly as described above -- when the user logs out, the CAS
|
518
|
+
# server individually contacts each client service and notifies it of the
|
519
|
+
# logout. Currently not all client applications support this, so this
|
520
|
+
# behaviour is disabled by default. To enable it, uncomment the following
|
521
|
+
# configuration line. Note that currently it is not possible to enable
|
522
|
+
# or disable single-sign-out on a per-service basis, but this functionality
|
523
|
+
# is planned for a future release.
|
524
|
+
|
525
|
+
#enable_single_sign_out: true
|
526
|
+
|
527
|
+
|
528
|
+
##### OTHER ####################################################################
|
529
|
+
|
530
|
+
# You can set various ticket expiry times (specify the value in seconds).
|
531
|
+
|
532
|
+
# Unused login and service tickets become unusable this many seconds after
|
533
|
+
# they are created. (Defaults to 5 minutes)
|
534
|
+
|
535
|
+
#maximum_unused_login_ticket_lifetime: 300
|
536
|
+
#maximum_unused_service_ticket_lifetime: 300
|
537
|
+
|
538
|
+
# The server must periodically delete old tickets (login tickets, service tickets
|
539
|
+
# proxy-granting tickets, and ticket-granting tickets) to prevent buildup of
|
540
|
+
# stale data. This effectively limits the maximum length of a CAS session to
|
541
|
+
# the lifetime given here (in seconds). (Defaults to 48 hours)
|
542
|
+
#
|
543
|
+
# Note that this limit is not enforced on the client side; it refers only to the
|
544
|
+
# the maximum lifetime of tickets on the CAS server.
|
545
|
+
|
546
|
+
#maximum_session_lifetime: 172800
|
547
|
+
|
548
|
+
|
549
|
+
# If you want the usernames entered on the login page to be automatically
|
550
|
+
# downcased (converted to lowercase), enable the following option. When this
|
551
|
+
# option is set to true, if the user enters "JSmith" as their username, the
|
552
|
+
# system will automatically
|
553
|
+
# convert this to "jsmith".
|
554
|
+
|
555
|
+
#downcase_username: true
|