Converting REMOTE_USER variable to all lower/upper case in mod_auth_cas v. 1.1?

[Bryan K. Walton]

I hope I'm not double posting here. If so, I apologize, I first sent this to
the google groups address for cas-community, rather than to the cas-user
email address.

We have a mod_auth_cas implementation running on Red Hat 7 server. We
have an application authenticating against a CAS server where the
majority of users are passed to the application in uppercase.

However, that same CAS server passes some users in lowercase. Is there
a way in mod_auth_cas to convert all usernames to either uppercase or
lowercase, overriding what the CAS authentication server sends?

The application is making use of the REMOTE_USER variable.

Thanks!
Bryan

[Chris Cheltenham]

Brian,

That is interesting. We have a similar situation where when using Red Hat 5, mod_auth_cas 1.0.9 would successful pass the REMOTE_USER variable.
However, when we switched to Red Hat 7 using mod_auth_cas 1.1 the application is NOT picking up the REMOTE_USER variable.

My question is , How do you know the variable is being passed in lower case?
Do you see it in tcpdump or something similar?

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20170124134546.GC15928%40iridonia.inside.leepfrog.com.

[yogesh munjal]

You can change the CAS login page, use the JavaScript convert into uppercase.

Regards
Yogesh

[Bryan K. Walton]

Hi Chris,

When we look at the request logs in our application, we see the REMOTE_USER variable. For some users, they come across in all upper case, for others, they come across in all lower case. And it doesn't matter whether the person authenticates to the CAS server in upper case or lowercase. The variable seems to be set by the CAS server.

-Bryan

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR17MB1213405D80462366CAE0F9CCC4750%40MWHPR17MB1213.namprd17.prod.outlook.com.

--
Bryan K. Walton 319-337-3877
Linux Systems Administrator Leepfrog Technologies, Inc

[Chris Cheltenham]

I see, thanks.

Would this be the cause of why REMOTE_USER is not working?

2017-01-24 13:26:18,563 INFO [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Initial principal
"ccheltenham" was not found in LDAP, returning null>

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20170124143613.GE15928%40iridonia.inside.leepfrog.com.

[Chris Cheltenham]

Hello All,

I did not find anything in the cas nor tomcat6 logs.

All I can see is this from the tcp dump below.

Does this mean anything to anyone?

I am not well versed in network protocol not dump analysis.

I am wondering if mod_auth_cas 1.1 is passing the variable correctly in the first place.



root@test-ba:/home/chrisc > tcpdump -qns 0 -A -r app-remote_user.pcap | grep USER
reading from file app-remote_user.pcap, link-type EN10MB (Ethernet)
<name xsi:type="xsd:string">HTTP_USER_AGENT</name>
<name xsi:type="xsd:string">REMOTE_USER</name>
.......N...............select o.CMID,p0.USERCAPABILITY from CMOBJECTS o left outer join CMOBJPROPS17 p0 on o.CMID=p0.CMID where o.CMID in (:1 ,:2 ,:3 ,:4 ,:5 ,:6 ,:7 ,:8 ,:9 ,:10 ,:11 ,:12 ,:13 ,:14 ,:15 ,:16 ,:17 ,:18 ,:19 ,:20 ,:21 ,:22 ,:23 ,:24 ,:25 ,:26 ,:27 ,:28 ,:29 ,:30 ,:31 ,:32 ,:33 ,:34 ,:35 ,:36 ,:37 ,:38 ,:39 ,:40 ,:41 ,:42 ,:43 ,:44 ,:45 ,:46 ,:47 ,:48 ,:49 ,:50 ,:51 ,:52 ,:53 ,:54 ,:55 ,:56 ,:57 ,:58 ,:59 ,:60 ,:61 ,:62 ,:63 ,:64 ,:65 ,:66 ,:67 ,:68 ,:69 ,:70 ,:71 ,:72 ,:73 ,:74 ,:75 ,:76 ,:77 ,:78 )...........................i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..............i..
...............CMID......................USERCAPABILITY........xu....".....
var g_PS_USER_productLocale = "en";
root@test-ba:/home/chrisc >

-----Original Message-----
From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Bryan K. Walton

Sent: Tuesday, January 24, 2017 9:36 AM
To: cas-...@apereo.org

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20170124143613.GE15928%40iridonia.inside.leepfrog.com.

[Chris Cheltenham]

Certainly ...


2017-01-24 14:06:30,503 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: ccheltenham]>
2017-01-24 14:06:30,550 INFO [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Initial principal "ccheltenham" was not found in LDAP, returning null>
2017-01-24 14:06:30,550 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal null>
2017-01-24 14:06:30,551 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal ccheltenham>
2017-01-24 14:06:30,551 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@1b89da7e authenticated ccheltenham with credential [username: ccheltenham].>
2017-01-24 14:06:30,551 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: ccheltenham]
WHAT: supplied credentials: [username: ccheltenham]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 24 14:06:30 EST 2017
CLIENT IP ADDRESS: 10.153.111.228
SERVER IP ADDRESS: 10.153.111.217
=============================================================

>
2017-01-24 14:06:30,551 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: ccheltenham]
WHAT: TGT-88-cc1EzA3nuAx2XlfxmcQ5WHoPJvPpUHfPW3ArlV7sat67X7SgN6-test-ba.dcis.hhs.gov
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 24 14:06:30 EST 2017
CLIENT IP ADDRESS: 10.153.111.228
SERVER IP ADDRESS: 10.153.111.217
=============================================================

-----Original Message-----
From: David Lawson
Sent: Tuesday, January 24, 2017 2:41 PM
To: Chris Cheltenham
Cc: cas-...@apereo.org; Pathe Sow
Subject: Re: [cas-user] Converting REMOTE_USER variable to all lower/upper case in mod_auth_cas v. 1.1?

Can I get a few lines in each side of those lines?

Thx. Good stuff

[Chris Cheltenham]

Bryon ,

According to my tcpdump mod_auth_cas is pushing REMOTE_USER no matter what we configure it to be.
So when we changed the behavior of the other side to EXPECT the REMOTE_USER variable , it worked.

The question for CAS folks is, Is that a bug?

Is it supposed to ignore the configured value in our mod_auth_cas.conf file?

I would think not.

-----Original Message-----
From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Bryan K. Walton

Sent: Tuesday, January 24, 2017 9:36 AM
To: cas-...@apereo.org

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20170124143613.GE15928%40iridonia.inside.leepfrog.com.

[David Hawes]

On 24 January 2017 at 08:45, Bryan K. Walton <bwa...@leepfrog.com> wrote:
...

> However, that same CAS server passes some users in lowercase. Is there
> a way in mod_auth_cas to convert all usernames to either uppercase or
> lowercase, overriding what the CAS authentication server sends?

There is no configuration option to do this in mod_auth_cas.

I would recommend changing the case on your CAS server or the
application that uses REMOTE_USER.

[David Hawes]

On 24 January 2017 at 16:19, Chris Cheltenham

<cchel...@swaintechs.com> wrote:
> Bryon ,
>
> According to my tcpdump mod_auth_cas is pushing REMOTE_USER no matter what we configure it to be.
> So when we changed the behavior of the other side to EXPECT the REMOTE_USER variable , it worked.
>
> The question for CAS folks is, Is that a bug?
>
> Is it supposed to ignore the configured value in our mod_auth_cas.conf file?
>
> I would think not.

mod_auth_cas sets r->user which gets evaluated as REMOTE_USER. This is
something that can't be changed.

What does your configuration look like?

[Chris Cheltenham]

David,

 

I hope this clarifies things.

We upgraded RH5 apache 2.2.x web servers to RH7 apache 2.4.6 servers.

 

Mod_auth_cas for RHEL5 was 1.0.9

 

We had mod_auth_cas.conf have a number of config entries thusly:

 

  <Location /reports.php>

    Authtype CAS

    require valid-user

    CASAuthNHeader CAS_USER

  </Location>

 

This would block a script alias to IBM's Cognos Report server.

   ScriptAlias /reports/cgi-bin "/ibmcognos/cgi-bin"

   Alias /reports "/ibmcognos/webcontent"

  <Directory "/ibmcognos">

                Options Indexes MultiViews

                AuthType CAS

                Require valid-user

                Require all granted

  </Directory>

 

The script alias and mod_auth_cas.conf were simply ported from RH5 to RH7 verbatim.

 

You would authenticate through LDAP and it would pass CAS_USER variable from the LDAP login to Cognos.

In Cognos we configured it to accept the CAS_USER variable.

 

When we upgraded the RHEL7 / mod_auth_cas 1.1 /apache 2.4.6 this would not work.

 

However, it does work for all the other <location></location> configurations only blocking web pages on the local machine.

 

When I dumped the nic card text we saw REMOTE_USER was being passed so mod_auth_cas 1.1 was ignoring the CAS_USER configuration.

 

We changed Cognos to accept REMOTE_USER and it orked just fine.

 

 

-----Original Message-----           
From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of David Hawes
Sent: Tuesday, January 24, 2017 8:55 PM
To: CAS Community
Subject: Re: [cas-user] Converting REMOTE_USER variable to all lower/upper case in mod_auth_cas v. 1.1?

 

On 24 January 2017 at 16:19, Chris Cheltenham <cchel...@swaintechs.com> wrote:

--

- CAS gitter chatroom: https://gitter.im/apereo/cas

- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html

- CAS documentation website: https://apereo.github.io/cas

- CAS project website: https://github.com/apereo/cas

---

You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAtN3yqF_NaCYBF-JydjVc3JH05Y9U6QXQ_5kV5OrrQRQ%40mail.gmail.com.

[David Hawes]

On 24 January 2017 at 21:43, Chris Cheltenham
<cchel...@swaintechs.com> wrote:
...

> <Location /reports.php>
>
> Authtype CAS
>
> require valid-user
>
> CASAuthNHeader CAS_USER
>
> </Location>

Try using CAS-USER here.

2.4 is more strict with headers.

See:

https://github.com/Jasig/mod_auth_cas/issues/49#issuecomment-55311020

[Bryan K. Walton]

OK, thanks. The CAS server isn't our's and we have no control over it or access to it. So, we will pursue from an application angle. One question, for you (or others). Looking at the following page:

https://httpd.apache.org/docs/current/expr.html

It appears that one might be able to use the REMOTE_USER variable in some kind of combination with the "tolower" function in an Apache expression to possible convert the variable to all lowercase. But I can't see to figure out if that is really possible, or how to implement that. Has anybody tried this?

Thanks,
Bryan

[David Hawes]

I tried something like:

RewriteEngine On
RewriteMap uc int:toupper
RewriteRule ^ - [E=REMOTE_USER:${uc:%{LA-U:REMOTE_USER}},L]
LogLevel debug rewrite:trace6

I could see it uppercase the REMOTE_USER properly in the logs, but my
phpinfo() page did not reflect that. I expect there's something in the
auth flow that's writing it back, though I don't have time to trace it
right now.

If you're comfortable modifying source, this could of course be done
in the mod_auth_cas code. I can provide pointers if you'd like.

[Bryan K. Walton]

Thanks David!

I see the same thing in our Apache logs. I'll keep looking at this to see if I can figure out what is changing the case back.

Thanks
Bryan