<div dir="ltr"><div><div><div>Hello,<br><br></div>I have some problems in the developpement of a CAS Auth for EPrints.<br><br></div>My first approach was using the documentation on the page : <a href="http://wiki.eprints.org/w/CAS">http://wiki.eprints.org/w/CAS</a><br><br></div><div>This documentation is good to start, but i have some problems finishing it. It&#39;s not accurate enough for eprints 3.x . In fact it doesn&#39;t work if we use it like it is explained. <br></div><div>the first problem i ran into was that apache did not restart after modifying the sub current_user() routine. The $username variable isn&#39;t defined in the line <br><span style="font-family:monospace">$ldap_search_string =~ s/!!USERNAME!!/$username/g;<br><br></span></div><div><span style="font-family:arial,helvetica,sans-serif">I resolved this problem, but then i ran into another problem, the cookie isn&#39;t found and can&#39;t be fetched. So before using raw_cookie() i tested if the cookie existed or not.<br><br></span></div><div><span style="font-family:arial,helvetica,sans-serif">As for now, the CAS page is visible, when i click on Login, but i have another problem, when the user is created in the eprints Database ( right after CAS Auth ), the user creation<br></span></div><div><span style="font-family:arial,helvetica,sans-serif">method is looping like hell, and creates a bunch of first null users, then a bunch of users with my LDAP credentials. This is not what is expected, i expect to see only one user created with LDAP Credentials.<br><br></span></div><div><span style="font-family:arial,helvetica,sans-serif">On another hand, when the user is already in the database, the connection is made with the CAS, but the users can&#39;t logout. Here is my sub current_user() routine :<br><br></span></div><div><span style="font-family:arial,helvetica,sans-serif"><span style="font-family:monospace">sub current_user<br>{<br>    my( $self ) = @_;<br>    if( $self-&gt;{offline} ) { return undef; }<br><br>    if( !defined $self-&gt;{current_user} ){<br>        if( $self-&gt;get_archive-&gt;get_conf( &quot;cookie_auth&quot; ) ){<br>            if ( $self-&gt;get_archive-&gt;get_conf( &#39;cas_auth&#39; ) ){<br>                my $username;<br>                my $cookie_name = $self-&gt;get_archive-&gt;get_conf( &#39;cas_cookie_name&#39; );<br>                $self-&gt;{current_user} = undef;<br>                if( defined $ENV{&#39;HTTP_CAS_FILTER_USER&#39;}){           <br>                    $username = $ENV{&#39;HTTP_CAS_FILTER_USER&#39;};<br>                    $self-&gt;{current_user} = EPrints::DataObj::User::user_with_username( $self, $username ); # undef si le user n&#39;existe pas          <br>                }<br>                elsif ( defined $ENV{&#39;HTTP_COOKIE&#39;}) {<br>                    # Vérification de l&#39;existence du cookie APACHECAS<br>                    my @cookie1 = split(&quot;=&quot;,$ENV{&#39;HTTP_COOKIE&#39;}); #cookie1 = array(&#39;APACHECAS&#39;, ticket)<br>                    my $ticket = $cookie1[1];<br>                    my $sql = &quot;SELECT user_id FROM cas_sessions where id=&#39;&quot;.$ticket.&quot;&#39;&quot;; <br>                    my $sth = $self-&gt;get_database()-&gt;prepare( $sql );<br>                    $self-&gt;get_database()-&gt;execute($sth);<br>                    my @info = $sth-&gt;fetchrow_array();<br>                    #my @list = split(&quot;:&quot;,$info[0]);<br>                    $username = $info[0];<br>                    $sth-&gt;finish;<br>                    $self-&gt;{current_user} = EPrints::DataObj::User::user_with_username( $self, $username ); # undef si le user n&#39;existe pas<br>                }<br>                else {<br>                    $self-&gt;{current_user} = undef;<br>                }<br><br>                # Create user FROM LDAP server if needed<br>                if (not defined $self-&gt;{current_user}) {<br>                    my $session = $self;<br>                    # Verification de l&#39;existence des cookies<br>                    # Si le cookie est trouvé, on défini le username   <br>                    if( defined $ENV{&#39;HTTP_COOKIE&#39;}){<br>                        my $ticket = raw_cookie(&#39;APACHECAS&#39;);<br>                        my $sql = &quot;SELECT user_id FROM cas_sessions where id=&#39;&quot;.$ticket.&quot;&#39;&quot;;<br>                        my $sth = $self-&gt;get_database()-&gt;prepare( $sql );<br>                        $self-&gt;get_database()-&gt;execute($sth);<br>                        my @info = $sth-&gt;fetchrow_array();<br>                        $username = $info[0];<br>                        $sth-&gt;finish;                                 <br>                        my $utilisateur = EPrints::DataObj::User::user_with_username( $self, $username );<br>                    <br>                        if(!defined $utilisateur &amp;&amp; ($username != &#39;&#39; || $username != undef) ){<br>                            # Si l&#39;utilisateur n&#39;existe pas dans la bdd eprints et que le username est bien défini<br>                            # On va le chercher dans le LDAP<br>                            # et l&#39;enregistrer dans la BDD Eprints<br>              <br>              # Récupération des parametres LDAP<br>                            my $ldap_host = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_host&#39;);<br>                            my $ldap_version = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_version&#39;);<br>                            my $ldap_bind_user = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_bind_user&#39;);<br>                            my $ldap_bind_pass = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_bind_pass&#39;);<br>                            my $ldap_base = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_base&#39;);<br>                            my $ldap_scope = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_scope&#39;);<br>                            my $ldap_search_string = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_search_string&#39;);<br>                            $ldap_search_string =~ s/username/$username/g;<br><br>                            my $ldap_default_email = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_default_email&#39;);<br>                            my $ldap_default_country = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_default_country&#39;);                                         <br>                            my $ldap_default_org = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_default_org&#39;);<br>                            my $ldap_conforms_supann = $session-&gt;get_archive()-&gt;get_conf(&#39;ldap_conforms_supann&#39;);<br><br>                            eval &quot;use Net::LDAP;&quot;;<br>                            die &quot;Cannot load Net::LDAP: $@&quot; if $@;<br><br>                            # Connexion au serveur LDAP<br>                            my $ldap = Net::LDAP-&gt;new( $ldap_host ) or die &quot;$@&quot;;<br>                            my $mesg = $ldap-&gt;bind ( $ldap_bind_user, password =&gt; $ldap_bind_pass, version =&gt; $ldap_version, );<br><br>                            # Recherche de l&#39;utilisateur<br>                            my $result = $ldap-&gt;search(    base =&gt; $ldap_base, scope =&gt; $ldap_scope, filter =&gt; $ldap_search_string, );<br><br>                            # Utiliser seulement la première entrée<br>                            my @entries = $result-&gt;entries();<br>                            if (defined (my $ldap_entry = $entries[0])) {<br>                                # Attribuer le type de l&#39;utilisateur<br>                                my $usertype = &quot;user&quot;;<br>                                my $user = EPrints::DataObj::User::create( $session, $usertype );<br><br>                                # Attribuer le nom de l&#39;utilisateur<br>                                $user-&gt;set_value( &quot;username&quot; , $username );<br>                                my $name = {};<br>                                $name-&gt;{family} = $ldap_entry-&gt;get_value( &quot;sn&quot; );<br>                                $name-&gt;{given} = $ldap_entry-&gt;get_value( &quot;givenName&quot; );<br>                                $user-&gt;set_value(&quot;name&quot;, $name );<br><br>                                # Attribuer l&#39;Email<br>                                my $email = defined $ldap_entry-&gt;get_value(&quot;mail&quot;)<br>                                    ? $ldap_entry-&gt;get_value(&quot;mail&quot;) : $ldap_default_email;<br>                                    $user-&gt;set_value(&quot;email&quot;, $email);<br><br>                                if ( $ldap_conforms_supann ){<br>                                    $user-&gt;set_value(&quot;org&quot;, $ldap_entry-&gt;get_value(&quot;supannEtablissement&quot;));<br>                                }<br>                                else {<br>                                    $user-&gt;set_value(&quot;org&quot;, $ldap_default_org);<br>                                }<br><br>                                # Attribuer l&#39;adresse de l&#39;utilisateur<br>                                my $address = $ldap_entry-&gt;get_value(&quot;postalAddress&quot;)<br>                                    . &quot;\n&quot;<br>                                    . $ldap_entry-&gt;get_value(&quot;postalCode&quot;)<br>                                    . &quot; &quot;<br>                                    . $ldap_entry-&gt;get_value(&quot;l&quot;);<br>                                $user-&gt;set_value(&quot;address&quot;, $address);<br>                                $user-&gt;set_value(&quot;country&quot;, $ldap_default_country);<br><br>                                # Attribuer L&#39;URL<br>                                $user-&gt;set_value(&quot;url&quot;, $ldap_entry-&gt;get_value(&quot;labeledURI&quot;));<br>                                <br>                                # Enregistrement des infos utilisateurs<br>                                $user-&gt;commit();<br>                  <br>                                $self-&gt;{current_user} = $user;<br>                            }<br>                        }    <br>                    }<br>                }<br>            }<br>            else {<br>                $self-&gt;{current_user} = $self-&gt;_current_user_auth_cookie;<br>            }<br>        }<br>        else {<br>            $self-&gt;{current_user} = $self-&gt;_current_user_auth_basic;<br>        }<br>    }<br>    return $self-&gt;{current_user};<br>}</span><br></span><span style="font-family:monospace"></span></div><div><div><div><div><div><br><br></div><div>I have used a second method for the CAS Auth, using the mod_auth_cas, but it also doesn&#39;t work :<br></div><div>in <b>mod_cas.conf</b> :<br><span style="font-family:monospace">&lt;IfModule mod_auth_cas.c&gt;<br>CASVersion 2<br>CASDebug On<br>CASValidateServer Off<br>CASLoginURL https://[myCasHOST]/login<br>CASValidateURL https://</span><span style="font-family:monospace"><span style="font-family:monospace">[myCasHOST]</span>/serviceValidate<br>CASCookiePath /var/cache/apache2/mod_auth_cas/<br>&lt;/IfModule&gt;</span><br><br></div><div>in <b>apachevhost.conf</b><br><span style="font-family:monospace">&lt;Directory &quot;/opt/eprints3/cgi/cas&quot;&gt;<br>AuthType CAS<br>require valid-user<br>&lt;/Directory&gt;</span><br><br></div><div>in <b>archives/&lt;archiveId&gt;/cfg/cfg.d/<a href="http://cas.pl">cas.pl</a></b><br></div><div><span style="font-family:monospace">$c-&gt;{get_login_url} = sub {<br>    my( $session, $target ) = @_;<br>    my $uri = $session-&gt;get_request-&gt;uri;<br>    if( defined $uri &amp;&amp; $uri eq &#39;/cgi/users/login&#39; ){<br>        return undef;<br>    }<br>    my $url = URI-&gt;new( $session-&gt;get_repository-&gt;get_conf( &quot;http_url&quot; ) . &quot;/cgi/cas/login&quot; );<br>    $url-&gt;query_form( target =&gt; $target );<br>    return &quot;$url&quot;;<br>};<br><br>$c-&gt;{on_logout} = sub {<br>    my( $session ) = @_;<br>    my $username = &#39;&#39;;<br>    $username = $session-&gt;current_user-&gt;get_value( &quot;username&quot; ) if( defined $session-&gt;current_user );<br>    # redirect to CAS logout<br>    $session-&gt;redirect( &quot;https://&lt;myCasHOST&gt;/cas/logout&quot; ) unless( $username eq &#39;admin&#39; );<br>}</span><br><br></div><div>in <b>cgi/cas/login</b><br><span style="font-family:monospace">use EPrints;<br>use strict;<br>my $session = new EPrints::Session;<br>exit( 0 ) unless( defined $session );<br>my $page=$session-&gt;make_doc_fragment();<br>if( $session-&gt;get_repository-&gt;can_call( &#39;on_logout&#39; ) ){<br>    $session-&gt;get_repository-&gt;call( &#39;on_logout&#39;, $session );<br>}<br><br># to allow CAS to work with local admin account:<br>my $username = &#39;&#39;;<br>$username = $session-&gt;current_user-&gt;get_value( &quot;username&quot; ) if(defined $session-&gt;current_user );<br>my $ticketid = EPrints::Apache::AnApache::cookie( $session-&gt;get_request, &quot;eprints_session&quot; );<br>my $dataset = $session-&gt;get_repository-&gt;get_dataset( &quot;loginticket&quot; );<br>$session-&gt;get_database-&gt;delete_from(<br>    $dataset-&gt;get_sql_table_name(),<br>    [&quot;code&quot;],<br>    [$ticketid],<br>);<br>$session-&gt;logout;<br><br># to allow CAS logout to work<br>exit unless($username eq &#39;admin&#39;);;<br>$page-&gt;appendChild( $session-&gt;render_message(<br>    &quot;message&quot;,<br>    $session-&gt;make_text( &quot;Logout OK!&quot; ) ) );<br>$page-&gt;appendChild( $session-&gt;html_phrase( &quot;general:frontpage_link&quot; ) );<br>my $title = $session-&gt;make_text( &quot;Logout&quot; );<br>$session-&gt;build_page( $title, $page, &quot;login&quot; );<br>$session-&gt;send_page();<br>$session-&gt;terminate;<br>exit;</span><br><br></div><div>Hoping to have an answer soon...<br><br></div><div>Thank you<br><br></div><div>Matthieu<br></div></div></div></div></div></div>