R

roundcube-cas-auth

If you aren't sure what CAS is, check out: http://www.jasig.org/cas

This is a fork of Alex Li's cas_authentication plugin. (http://code.google.com/p/rc-cas-plugin)
We share some of the same config names so we should not be run together.

The main differences are:
 - This plugin should work with stock Roundcube 0.6+
 - This plugin can be configured to not force all users to have to use CAS
 - This plugin supports using a CAS proxy ticket for SMTP authn

This plugin has been tested and works with the following:
 - Roundcube 0.6-0.8
 - RHEL (specifically, Oracle Enterprise Linux) 6.1-6.2 x64 - DEBIAN Squeeze 2.6.26 x64
 - JASIG CAS 3.3.2, 3.4.11, 3.4.14 (http://www.jasig.org/cas)
 - pam_cas (https://sourcesup.cru.fr/frs/?group_id=213, Pam_cas-2.0.11-esup-2.0.5.tar.gz)
 - phpCAS 1.2.2 (php-pear-CAS from EPEL)
 - up-imapproxy 1.2.7 (http://www.imapproxy.org)
 - Dovecot 2.0.13 (http://dovecot.org)

Setup is very similar to most Roundcube plugins. Copy cas_authn to your 
Roundcube plugin directory. Then, copy config.inc.php.dist to config.inc.php,
edit for your environment, and activate the plugin. 

Some things to be aware of:

  - This plugin assumes your IMAP server can authenticate 
    (a) CAS proxy tickets (if cas_proxy is true) 
	- or - 
    (b) any user using the "master" password (if cas_proxy is false and 
        cas_imap_password is set). 
    For (a), the most common way to do this is with pam_cas. See
    http://www.esup-portail.org/consortium/espace/SSO_1B/tech/cas/cas_pam.html 
    for help configuring and testing that. (It is in French, but Google 
    Translate does a good job.)

  - If cas_proxy is true and Roundcube is set to authenticate to SMTP, 
    this plugin will generate a PT for your SMTP service and send that to 
    the SMTP server. As with IMAP, you should test this via telnet to make 
    sure your SMTP server is validating CAS tickets.

  - If you are running Roundcube on multiple servers behind a load balancer
    and cas_proxy is true, your PGTIOU storage must be shared; when the CAS
    server does the PGT callback there is no guarantee (unless you do 
    something special) that it will hit the same host the user is on. And 
    if you're not sure what "PGT callback" is, check out 
    https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
    especially the PDF linked at the bottom.