If you benefit from web2py hope you feel encouraged to pay it forward by contributing back to society in whatever form you choose!

If you read web2py documentation: http://web2py.com/books/default/chapter/29/09?#Central-Authentication-Service when Web2py is installed provides already a CAS server, so no extra configuration need to be done.  In this example, the CAS provider (web2py) will authenticate using LDAP server, and Apache web server will use Web2py to login.

We prepare Web2py provider to authenticate using LDAP. In this case:


We will authenticate using username (no email):

auth.define_tables(username=True, signature=False)


No new user group will be created when user is authenticated: 



We will disable all this options:

auth.settings.actions_disabled=['register','change_password','request_reset_password','retrieve_username', 'profile']


We add the ldap configuration, we use the ApacheGroup in LDAP to look for the user:

from gluon.contrib.login_methods.ldap_auth import ldap_auth
        server='MY_LDAP_URL', port='636',
        allowed_groups = ["ApacheGroup"],
        group_dn = 'cn=groups,dc=mydomain,dc=com',
        group_name_attrib = 'cn',
        group_member_attrib = 'memberUid',
        group_filterstr = 'objectClass=*'


The next step, is to configure Apache to be a consumer. In this case I use ubuntu 11.10, so to install the module:

#apt-get install libapache2-mod-auth-cas


To load the module into Apache:

#a2enmod auth_cas


Now what we need to do is to configure our VirtualHost in Apache, with CAS authentication, for example:

<VirtualHost *:80>
    ServerName MY_URL_TO_MY_WEB_PAGE
    DocumentRoot /var/www/MY_WEB_PAGE

    CASValidateServer off
    #CASAllowWildcardCert on
    CASCertificatePath  /etc/ssl/certs
    CASLoginURL         https://MY_CAS_PROVIDER.com/cas/default/user/cas/login
    CASValidateURL      https://MY_CAS_PROVIDER.com/cas/default/user/cas/serviceValidate

    <Directory />

         AuthType CAS
         require valid-user


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined



If we are using CAS version 1, we have to use:

CASValidateURL      https://MY_CAS_PROVIDER.com/cas/default/user/cas/validate

In our case, by default Apache and web2py use version 2.


Now, if we type in our browser MY_URL_TO_MY_WEB_PAGE, automatically, Apache will redirect you to the CAS provider asking  for a login. Once, you are authenticated and your user and pass is validated. Cas provider will redirect you to MY_URL_TO_MY_WEB_PAGE (service).


In the case we have on the top, we are using CASValidateServer off. This mean that mod_auth_cas will not validate that the certificate presented (in case we use SSL in our CASLogin and CASValidate) by the server specified in CASLoginURL is both signed by the Certificate Authority specified in CASCertificatePath and that the hostname matches the Common Name of the certificate.


If CASValidateServer on, maybe we get this error:


MOD_AUTH_CAS: Certificate CN does not match MY_URL_TO_MY_WEB_PAGE


To resolve the issue we have to be sure our certificate is in CASCertificatePath (/etc/ssl/certs) , so we copy our certificate in /etc/ssl/certs. The CA certificates inside this directory are looked up by the CA subject name hash value. For this reason we will use the c_rehash utility to create the necessary links:


#cd /etc/ssl/certs


If you are using wildcard certificates, enable the option: CASAllowWildcardCert


Related slices

Comments (0)

Hosting graciously provided by:
Python Anywhere