Yale PAM client distribution
The Yale CAS client distribution includes a PAM module suitable for CAS-authenticating, say, an IMAP server.
esup-portail PAM client distribution
Esup-portail also distributes an enhanced version of the PAM module.
Documentation is available here.
The following are what I believe to be some of the enhancements present in the esup-portail module beyond what is available in Yale PAM_CAS, as of the time of this writing. If this characterization can be made more accurate, please comment upon or edit this Wiki page. However, it is to be expected that esup-portail's documentation of their PAM module is always going to be more up-to-date and authoritative than this Wiki page.
- improved debugging
- certificate management: only the higher Certificate of Certificate Authority is necessary
- Parameters are written in a configuration file (rather than being compiled in):
auth sufficient /lib/security/pam_cas.so -simap://imap.univ.fr -f/etc/pam_cas.conf
# sample pam_cas config
# host from CAS server. mandatory
# port from CAS server. Default to 80 or 443, depends from ssl instruction
# uri to validate ticket. Default to /proxyValidate
# https or no. values on or off. Default to on.
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
# certificate from high level CA
Thanks to Vincent Mathieu for writing on the CAS discussion list on this point. His email seeded this Wiki page.