rubycas-server 0.4.2 → 0.5.0

data/CHANGELOG.txt

@@ -1,3 +1,40 @@
+=== 0.5.0 :: 2007-09-20
+
+* Gateway requests should now be handled correctly. When the request to the
+  login page is made with gateway=true as one of the parameters, the CAS
+  server will immediately redirect back to the target service along with
+  a service ticket if an SSO session exists for the user (or without a
+  service ticket if there is no pre-existing SSO session). 
+  Note that if you are using RubyCAS-Client and want gatewaying, you will 
+  need to upgrade it to 1.1.0 as gatewaying was broken in prior versions.
+* If gateway=true is specified as part of the logout URI, the server will
+  log the user out and immediately redirect them back to the specified
+  service. In other words, you can now do "gatewayed logouts" as well
+  as logins.
+* A login ticket can now be remotely requested from the server by placing
+  a POST request to '/loginTicket'.
+* The login view can now be made to return only the login form. This is
+  done by adding the 'onlyLoginForm' parameter to the '/login' request.
+  Optionally, a 'submitToURI' parameter can be supplied to force the login
+  form to submit to the given URI (otherwise the server will try to figure
+  out the full URI to its own login controller). This functionality may be
+  useful when you want to embed the login form in some external page, as
+  an IFRAME otherwise.
+* Custom views can now be used to override the default Markaby templates
+  by specifying a 'custom_views_file' option in the configuration. See
+  custom_views.example.rb. [jzylks]
+* Table names have been shortened to work with Oracle. A migration has
+  been added that should do the shortening for you the first time you run
+  this new RubyCAS-Server version.
+* Multiple authenticators can now be specified. During authentication,
+  credentials are presented to the first authenticator, then the second,
+  and so on, until the user is validated by any one authenticator or fails 
+  validation for all of them. [jzylks]
+* When using webrick, you can now run with SSL disabled by omitting the 
+  ssl_cert and ssl_key parameters.
+* Changed incorrect MySQL example database configuration -- option should
+  be 'host:' not 'server:' (issue #22).
+
 === 0.4.2 :: 2007-07-26
 
 * The LDAP/AD authenticator has been largely re-written. The code is a bit

data/Manifest.txt

@@ -6,6 +6,7 @@ Rakefile
 bin/rubycas-server
 bin/rubycas-server-ctl
 config.example.yml
+custom_views.example.rb
 lib/casserver.rb
 lib/casserver/authenticators/active_directory_ldap.rb
 lib/casserver/authenticators/base.rb
@@ -35,3 +36,12 @@ lib/themes/warning.png
 resources/init.d.sh
 setup.rb
 test/test_casserver.rb
+
+vendor/camping-1.5.180/lib/camping-unabridged.rb
+vendor/camping-1.5.180/lib/camping.rb
+vendor/camping-1.5.180/lib/camping/db.rb
+vendor/camping-1.5.180/lib/camping/fastcgi.rb
+vendor/camping-1.5.180/lib/camping/reloader.rb
+vendor/camping-1.5.180/lib/camping/session.rb
+vendor/camping-1.5.180/lib/camping/webrick.rb
+

data/Rakefile

@@ -19,14 +19,15 @@ RUBYFORGE_PROJECT = "rubycas-server" # The unix name for your project
 HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
 
 DEPS = [
-  ['camping', '>= 1.5'],
+#  ['camping', '>= 1.5'], # camping is now bundled with rubycas-server
   ['activesupport', '>= 1.4.0'],
   ['activerecord', '>=1.15.3']
 ]
 
 
 NAME = "rubycas-server"
-REV = nil # UNCOMMENT IF REQUIRED: File.read(".svn/entries")[/committed-rev="(d+)"/, 1] rescue nil
+REV = nil
+#REV = `svn info`[/Revision: (\d+)/, 1] rescue nil
 VERS = ENV['VERSION'] || (CASServer::VERSION::STRING + (REV ? ".#{REV}" : ""))
                           CLEAN.include ['**/.*.sw?', '*.gem', '.config']
 RDOC_OPTS = ['--quiet', '--title', "RubyCAS-Server #{VERS} Documentation",

data/bin/rubycas-server-ctl

@@ -21,7 +21,7 @@ def start
   when :ok
     $stderr.puts "rubycas-server is already running"
     exit 1
-  when :not_running
+  when :not_running, :empty_pid
     $stderr.puts "The pid file '#{@options[:pid_file]}' exists but rubycas-server is not running." +
       " The pid file will be automatically deleted for you, but this shouldn't have happened!"
     File.delete(@options[:pid_file])

data/config.example.yml

@@ -49,22 +49,25 @@ ssl_cert: /path/to/your/ssl.pem
 # 
 # By default, we use MySQL, since it is widely used and does not require any additional
 # ruby libraries besides ActiveRecord.
-# 
-# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else supported 
-# by ActiveRecord.
 #
-# For example, with MySQL, your config wold be something like:
+# With MySQL, your config would be something like the following:
+# (be sure to create the casserver database in MySQL beforehand,
+#   i.e. `mysqladmin -u root create casserver`)
 
 database:
   adapter: mysql
   database: casserver
   username: root
   password: 
-  server: localhost
+  host: localhost
 
-# If you prefer to use SQLite3 (which does not require a separate database server),
-# your configuration would look something like the following (don't forget to install
-# the sqlite3-ruby gem beforehand!):
+#
+# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else supported 
+# by ActiveRecord.
+#
+# With SQLite3 (which does not require a separate database server), your configuration
+# would look something like the following (don't forget to install the 
+# sqlite3-ruby gem beforehand!):
 #
 #database:
 #  adapter: sqlite3
@@ -95,7 +98,7 @@ database:
 #  database:
 #    adapter: mysql
 #    database: some_database_with_users_table
-#    user: root
+#    username: root
 #    password: 
 #    server: localhost
 #  user_table: user
@@ -128,7 +131,7 @@ database:
 #
 # It is possible to authenticate against Active Directory without the
 # authenticator user, but this requires that users type in their CN as
-# the username, rather than typing in their sAMAccountName. In other words
+# the username rather than typing in their sAMAccountName. In other words
 # users will likely have to authenticate by typing their full name,
 # rather than their username. If you prefer to do this, then just
 # omit the auth_user and auth_password values in the above example.
@@ -170,7 +173,35 @@ database:
 #  source: /path/to/source.rb
 #  option_a: foo
 #  another_option: yeeha
-
+#
+# ==> Multiple Authenticators
+# If you need to have more than one source for authentication, such as an LDAP directory
+# and a database, you can use multiple authenticators by making :authenticator an array
+# of authenticators.
+#
+#authenticator:
+#  -
+#    class: CASServer::Authenticators::ActiveDirectoryLDAP
+#    ldap:
+#      server: ad.example.net
+#      port: 389
+#      base: dc=example,dc=net
+#      filter: (objectClass=person)
+#  -
+#    class: CASServer::Authenticators::SQL
+#    database:
+#      adapter: mysql
+#      database: some_database_with_users_table
+#      user: root
+#      password:
+#      server: localhost
+#    user_table: user
+#    username_column: username
+#    password_column: password
+#
+# During authentication, the user credentials will be checked against the first
+# authenticator and on failure fall through to the second authenticator.
+#
 
 ##### LOOK & FEEL ######################################################################
 
@@ -192,6 +223,8 @@ organization: CAS
 # A short bit of text that shows up on the login page. You can make this blank if you prefer.
 infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
 
+# Custom views file.  Overrides methodes in lib/casserver/views.rb
+#custom_views_file: /path/to/custom/views.rb
 
 ##### LOGGING #########################################################################
 

data/custom_views.example.rb

@@ -0,0 +1,11 @@
+# Custom views file; add methods to the module definition below
+
+module CASServer::Views
+
+  # Override views here, for example, a custom login form:
+  def login_form
+    # Add your custom login form here, using Markaby
+    # See the original views.rb file at lib/casserver/views.rb for method names and usage
+  end
+
+end

data/lib/casserver/authenticators/ldap.rb

@@ -11,9 +11,9 @@ end
 class CASServer::Authenticators::LDAP < CASServer::Authenticators::Base
   def validate(credentials)
     read_standard_credentials(credentials)
-    
+
     return false if @password.blank?
-    
+   
     raise CASServer::AuthenticatorError, "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
     raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless @options[:ldap]
     raise CASServer::AuthenticatorError, "You must specify an ldap server in the configuration!" unless @options[:ldap][:server]
@@ -68,8 +68,14 @@ class CASServer::Authenticators::LDAP < CASServer::Authenticators::Base
       
       username_attribute = options[:ldap][:username_attribute] || default_username_attribute
       
-      filter = Net::LDAP::Filter.construct(@options[:ldap][:filter]) & 
-        Net::LDAP::Filter.eq(username_attribute, @username)
+      filter = Net::LDAP::Filter.construct(@options[:ldap][:filter]) if 
+        @options[:ldap][:filter] && !@options[:ldap][:filter].blank?
+      username_filter = Net::LDAP::Filter.eq(username_attribute, @username)
+      if filter
+        filter &= username_filter
+      else
+        filter = username_filter
+      end
       
       @ldap.bind_as(:base => @options[:ldap][:base], :password => @password, :filter => filter)
     end
@@ -86,4 +92,4 @@ class CASServer::Authenticators::LDAP < CASServer::Authenticators::Base
       @ldap.authenticate(cn, @password)
       @ldap.bind
     end
-end
+end

data/lib/casserver/conf.rb

@@ -1,4 +1,5 @@
 # load configuration
+
 begin
   if $CONFIG_FILE
     conf_file = $CONFIG_FILE
@@ -33,8 +34,7 @@ begin
       " suit your needs and then run rubycas-server again.\n"
     exit 1
   end
-  
-  
+ 
   loaded_conf = HashWithIndifferentAccess.new(YAML.load_file(conf_file))
   
   if $CONF
@@ -42,21 +42,44 @@ begin
   else
     $CONF = loaded_conf
   end
-  
+ 
+  if $CONF[:authenticator].instance_of? Array
+    $CONF[:authenticator].each_index { |auth_index| $CONF[:authenticator][auth_index] = HashWithIndifferentAccess.new($CONF[:authenticator][auth_index])}
+  end
+
+  $AUTH = []
   begin
     # attempt to instantiate the authenticator
-    $AUTH = $CONF[:authenticator][:class].constantize.new
-  rescue NameError
-    if !$CONF[:authenticator][:source].nil?
-      # config.yml explicitly names source file
-      require $CONF[:authenticator][:source]
+    if $CONF[:authenticator].instance_of? Array
+      $CONF[:authenticator].each { |authenticator| $AUTH << authenticator[:class].constantize.new}
     else
-      # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
-      auth_rb = $CONF[:authenticator][:class].underscore.gsub('cas_server/', '')
-      require 'casserver/'+auth_rb
+      $AUTH << $CONF[:authenticator][:class].constantize.new
     end
+  rescue NameError
+    if $CONF[:authenticator].instance_of? Array
+      $CONF[:authenticator].each do |authenticator|
+        if !authenticator[:source].nil?
+          # config.yml explicitly names source file
+          require authenticator[:source]
+        else
+          # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
+          auth_rb = authenticator[:class].underscore.gsub('cas_server/', '')
+          require 'casserver/'+auth_rb
+        end
+        $AUTH << authenticator[:class].constantize.new
+      end
+    else
+      if !$CONF[:authenticator][:source].nil?
+        # config.yml explicitly names source file
+        require $CONF[:authenticator][:source]
+      else
+        # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
+        auth_rb = $CONF[:authenticator][:class].underscore.gsub('cas_server/', '')
+        require 'casserver/'+auth_rb
+      end
 
-    $AUTH = $CONF[:authenticator][:class].constantize.new
+      $AUTH << $CONF[:authenticator][:class].constantize.new
+    end
   end
 rescue
     raise "Your RubyCAS-Server configuration may be invalid."+

data/lib/casserver/controllers.rb

@@ -9,6 +9,8 @@ module CASServer::Controllers
     
     # 2.1.1
     def get
+      CASServer::Utils::log_controller_action(self.class, @input)
+      
       # make sure there's no caching
       headers['Pragma'] = 'no-cache'
       headers['Cache-Control'] = 'no-store'
@@ -17,7 +19,7 @@ module CASServer::Controllers
       # optional params
       @service = @input['service']
       @renew = @input['renew']
-      @gateway = @input['gateway']
+      @gateway = @input['gateway'] == 'true' || @input['gateway'] == '1'
       
       if tgc = @cookies[:tgt]
         tgt, tgt_error = validate_ticket_granting_ticket(tgc)
@@ -28,13 +30,21 @@ module CASServer::Controllers
       end
       
       begin
-        if @service && !@renew && tgt && !tgt_error
-          st = generate_service_ticket(@service, tgt.username)
-          service_with_ticket = service_uri_with_ticket(@service, st)
-          $LOG.info("User '#{tgt.username}' authenticated based on ticket granting cookie. Redirecting to service '#{@service}'.")
-          return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
+        if @service 
+          if !@renew && tgt && !tgt_error
+            st = generate_service_ticket(@service, tgt.username)
+            service_with_ticket = service_uri_with_ticket(@service, st)
+            $LOG.info("User '#{tgt.username}' authenticated based on ticket granting cookie. Redirecting to service '#{@service}'.")
+            return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
+          elsif @gateway
+            $LOG.info("Redirecting unauthenticated gateway request to service '#{@service}'.")
+            return redirect(@service, :status => 303)
+          end
+        elsif @gateway
+            $LOG.error("This is a gateway request but no service parameter was given!")
+            @message = {:type => 'mistake', :message => "The server cannot fulfill this gateway request because no service parameter was given."}
         end
-      rescue
+      rescue # FIXME: shouldn't this only rescue URI::InvalidURIError?
         $LOG.error("The service '#{@service}' is not a valid URI!")
         @message = {:type => 'mistake', :message => "The target service your browser supplied appears to be invalid. Please contact your system administrator for help."}
       end
@@ -45,11 +55,37 @@ module CASServer::Controllers
       
       @lt = lt.ticket
       
-      render :login
+      $LOG.debug(env)
+      
+      # If the 'onlyLoginForm' parameter is specified, we will only return the 
+      # login form part of the page. This is useful for when you want to
+      # embed the login form in some external page (as an IFRAME, or otherwise).
+      # The optional 'submitToURI' parameter can be given to explicitly set the
+      # action for the form, otherwise the server will try to guess this for you.
+      if @input.has_key? 'onlyLoginForm'
+        if env['HTTP_HOST']
+          guessed_login_uri = "http#{env['HTTPS'] && env['HTTPS'] == 'on' ? 's' : ''}://#{env['REQUEST_URI']}#{self / '/login'}"
+        else
+          guessed_login_uri = nil
+        end
+
+        @form_action = @input['submitToURI'] || guessed_login_uri
+        
+        if @form_action
+          render :login_form
+        else
+          @status = 500
+          "Could not guess the CAS login URI. Please supply a submitURI parameter with your request."
+        end
+      else
+        render :login
+      end
     end
     
     # 2.2
     def post
+      CASServer::Utils::log_controller_action(self.class, @input)
+      
       # 2.2.1 (optional)
       @service = @input['service']
       @warn = @input['warn']
@@ -69,12 +105,20 @@ module CASServer::Controllers
       # generate another login ticket to allow for re-submitting the form after a post
       @lt = generate_login_ticket.ticket
       
-      $AUTH.configure(CASServer::Conf.authenticator)
-      
+      if $CONF[:authenticator].instance_of? Array
+        $AUTH.each_index {|auth_index| $AUTH[auth_index].configure(CASServer::Conf.authenticator[auth_index])}
+      else
+        $AUTH[0].configure(CASServer::Conf.authenticator)
+      end
+
       $LOG.debug("Logging in with username: #{@username}, lt: #{@lt}, service: #{@service}, auth: #{$AUTH}")
       
+      credentials_are_valid = false
       begin
-        credentials_are_valid = $AUTH.validate(:username => @username, :password => @password, :service => @service)
+        $AUTH.each do |auth|
+          credentials_are_valid = auth.validate(:username => @username, :password => @password, :service => @service)
+          break if credentials_are_valid
+        end
       rescue CASServer::AuthenticatorError => e
         $LOG.error(e)
         @message = {:type => 'mistake', :message => e.to_s}
@@ -82,10 +126,10 @@ module CASServer::Controllers
       end
       
       if credentials_are_valid
-        $LOG.info("Credentials for username '#{$AUTH.username}' successfully validated")
+        $LOG.info("Credentials for username '#{@username}' successfully validated")
         
         # 3.6 (ticket-granting cookie)
-        tgt = generate_ticket_granting_ticket($AUTH.username)
+        tgt = generate_ticket_granting_ticket(@username)
         
         if CASServer::Conf.expire_sessions
           expires = CASServer::Conf.ticket_granting_ticket_expiry.to_i.from_now
@@ -98,17 +142,17 @@ module CASServer::Controllers
         #        seem to be an easy way to set cookie expire times in Camping :(
         @cookies[:tgt] = tgt.to_s
         
-        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt]}' granted to '#{$AUTH.username}'. #{expiry_info}")
+        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt]}' granted to '#{@username}'. #{expiry_info}")
                 
         if @service.blank?
-          $LOG.info("Successfully authenticated user '#{$AUTH.username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
+          $LOG.info("Successfully authenticated user '#{@username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
           @message = {:type => 'confirmation', :message => "You have successfully logged in."}
         else
-          @st = generate_service_ticket(@service, $AUTH.username)
+          @st = generate_service_ticket(@service, @username)
           begin
             service_with_ticket = service_uri_with_ticket(@service, @st)
             
-            $LOG.info("Redirecting authenticated user '#{$AUTH.username}' at '#{@st.client_hostname}' to service '#{@service}'")
+            $LOG.info("Redirecting authenticated user '#{@username}' at '#{@st.client_hostname}' to service '#{@service}'")
             return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
           rescue URI::InvalidURIError
             $LOG.error("The service '#{@service}' is not a valid URI!")
@@ -116,7 +160,7 @@ module CASServer::Controllers
           end
         end
       else
-        $LOG.warn("Invalid credentials given for user '#{$AUTH.username}'")
+        $LOG.warn("Invalid credentials given for user '#{@username}'")
         @message = {:type => 'mistake', :message => "Incorrect username or password."}
       end
       
@@ -130,13 +174,17 @@ module CASServer::Controllers
     
     # 2.3.1
     def get
+      CASServer::Utils::log_controller_action(self.class, @input)
+      
       # The behaviour here is somewhat non-standard. Rather than showing just a blank
       # "logout" page, we take the user back to the login page with a "you have been logged out"
-      # message, allowing for an opportunity to immediately log back in. This makes
-      # switching users a lot smoother.
+      # message, allowing for an opportunity to immediately log back in. This makes it
+      # easier for the user to log out and log in as someone else.
       @service = @input['url'] || @input['service']
       # TODO: display service name in view as per 2.3.2
       
+      @gateway = @input['gateway'] == 'true' || @input['gateway'] == '1'
+      
       tgt = CASServer::Models::TicketGrantingTicket.find_by_ticket(@cookies[:tgt])
       
       @cookies.delete :tgt
@@ -162,7 +210,11 @@ module CASServer::Controllers
       
       @lt = generate_login_ticket
       
-      render :login
+      if @gateway && @service
+        redirect(@service, :status => 303)
+      else
+        render :login
+      end
     end
   end
 
@@ -172,6 +224,8 @@ module CASServer::Controllers
   
     # 2.4.1
     def get
+      CASServer::Utils::log_controller_action(self.class, @input)
+      
       # required
       @service = @input['service']
       @ticket = @input['ticket']
@@ -193,6 +247,8 @@ module CASServer::Controllers
   
     # 2.5.1
     def get
+      CASServer::Utils::log_controller_action(self.class, @input)
+      
       # required
       @service = @input['service']
       @ticket = @input['ticket']
@@ -221,6 +277,8 @@ module CASServer::Controllers
   
     # 2.6.1
     def get
+      CASServer::Utils::log_controller_action(self.class, @input)
+      
       # required
       @service = @input['service']
       @ticket = @input['ticket']
@@ -259,6 +317,8 @@ module CASServer::Controllers
   
     # 2.7
     def get
+      CASServer::Utils::log_controller_action(self.class, @input)
+      
       # required
       @ticket = @input['pgt']
       @target_service = @input['targetService']
@@ -274,13 +334,41 @@ module CASServer::Controllers
     end
   end
   
+  # Controller for obtaining login tickets.
+  # This is useful when you want to build a custom login form located on a 
+  # remote server. Your form will have to include a valid login ticket
+  # value, and this can be fetched from the CAS server using this controller'
+  # POST method.
+  class LoginTicketDispenser < R '/loginTicket'
+    include CASServer::CAS
+    
+    def get
+      CASServer::Utils::log_controller_action(self.class, @input)
+      $LOG.error("Tried to use login ticket dispenser with get method!")
+      @status = 500
+      "To generate a login ticket, you must make a POST request."
+    end
+    
+    # Renders a page with a login ticket (and only the login ticket)
+    # in the response body.
+    def post
+      CASServer::Utils::log_controller_action(self.class, @input)
+      lt = generate_login_ticket
+      
+      $LOG.debug("Generated login ticket: #{lt}, host: #{env['REMOTE_HOST'] || env['REMOTE_ADDR']}")
+      
+      @lt = lt.ticket
+      
+      @lt
+    end
+  end
+  
   class Themes < R '/themes/(.+)'         
     MIME_TYPES = {'.css' => 'text/css', '.js' => 'text/javascript', 
                   '.jpg' => 'image/jpeg'}
     PATH = CASServer::Conf.themes_dir || File.expand_path(File.dirname(__FILE__))+'/../themes'
 
-    def get(path)
-      @headers['Content-Type'] = MIME_TYPES[path[/\.\w+$/, 0]] || "text/plain"
+    def get(path)@headers['Content-Type'] = MIME_TYPES[path[/\.\w+$/, 0]] || "text/plain"
       unless path.include? ".." # prevent directory traversal attacks
         @headers['X-Sendfile'] = "#{PATH}/#{path}"
       else

data/lib/casserver/models.rb

@@ -31,10 +31,12 @@ module CASServer::Models
   end
   
   class LoginTicket < Ticket
+    set_table_name 'casserver_lt'
     include Consumable
   end
   
   class ServiceTicket < Ticket
+    set_table_name 'casserver_st'
     include Consumable
     
     def matches_service?(service)
@@ -50,9 +52,11 @@ module CASServer::Models
   end
   
   class TicketGrantingTicket < Ticket
+    set_table_name 'casserver_tgt'
   end
   
   class ProxyGrantingTicket < Ticket
+    set_table_name 'casserver_pgt'
     belongs_to :service_ticket
     has_many :proxy_tickets, :dependent => :destroy
   end
@@ -113,4 +117,23 @@ module CASServer::Models
       drop_table :casserver_login_tickets
     end
   end
+  
+  # Oracle table names cannot exceed 30 chars... 
+  # See http://code.google.com/p/rubycas-server/issues/detail?id=15
+  class ShortenTableNames < V 0.5
+    def self.up
+      $LOG.info("Shortening table names")
+      rename_table :casserver_login_tickets, :casserver_lt
+      rename_table :casserver_service_tickets, :casserver_st
+      rename_table :casserver_ticket_granting_tickets, :casserver_tgt
+      rename_table :casserver_proxy_granting_tickets, :casserver_pgt
+    end
+    
+    def self.down
+      rename_table :casserver_lt, :cassserver_login_tickets
+      rename_table :casserver_st, :casserver_service_tickets
+      rename_table :casserver_tgt, :casserver_ticket_granting_tickets
+      rename_table :casserver_pgt, :casserver_proxy_granting_tickets
+    end
+  end
 end