Puppet Class: apache::mod::auth_cas

Inherits:
apache::params
Defined in:
manifests/mod/auth_cas.pp

Summary

Installs and configures `mod_auth_cas`.

Overview

Note:

The auth_cas module isn’t available on RH/CentOS without providing dependency packages provided by EPEL.

Parameters:

  • cas_login_url (String)

    Sets the URL to which the module redirects users when they attempt to access a CAS-protected resource and don’t have an active session.

  • cas_validate_url (String)

    Sets the URL to use when validating a client-presented ticket in an HTTP query string.

  • cas_cookie_path (String) (defaults to: $apache::params::cas_cookie_path)

    Sets the location where information on the current session should be stored. This should be writable by the web server only.

  • cas_cookie_path_mode (Stdlib::Filemode) (defaults to: '0750')

    The mode of cas_cookie_path.

  • cas_version (Integer) (defaults to: 2)

    The version of the CAS protocol to adhere to.

  • cas_debug (String) (defaults to: 'Off')

    Whether to enable or disable debug mode.

  • cas_validate_server (Optional[String]) (defaults to: undef)

    Whether to validate the presented certificate. This has been deprecated and removed from Version 1.1-RC1 onward.

  • cas_validate_depth (Optional[String]) (defaults to: undef)

    The maximum depth for chained certificate validation.

  • cas_certificate_path (Optional[String]) (defaults to: undef)

    The path leading to the certificate

  • cas_proxy_validate_url (Optional[String]) (defaults to: undef)

    The URL to use when performing a proxy validation.

  • cas_root_proxied_as (Optional[String]) (defaults to: undef)

    Sets the URL end users see when access to this Apache server is proxied per vhost. This URL should not include a trailing slash.

  • cas_cookie_entropy (Optional[String]) (defaults to: undef)

    When creating a local session, this many random bytes are used to create a unique session identifier.

  • cas_timeout (Optional[Integer[0]]) (defaults to: undef)

    The hard limit, in seconds, for a mod_auth_cas session.

  • cas_idle_timeout (Optional[Integer[0]]) (defaults to: undef)

    The limit, in seconds, of how long a mod_auth_cas session can be idle.

  • cas_cache_clean_interval (Optional[String]) (defaults to: undef)

    The minimum amount of time that must pass inbetween cache cleanings.

  • cas_cookie_domain (Optional[String]) (defaults to: undef)

    The value for the ‘Domain=’ parameter in the Set-Cookie header.

  • cas_cookie_http_only (Optional[String]) (defaults to: undef)

    Setting this flag prevents the mod_auth_cas cookies from being accessed by client side Javascript.

  • cas_authoritative (Optional[String]) (defaults to: undef)

    Determines whether an optional authorization directive is authoritative and thus binding.

  • cas_validate_saml (Optional[String]) (defaults to: undef)

    Parse response from CAS server for SAML.

  • cas_sso_enabled (Optional[String]) (defaults to: undef)

    Enables experimental support for single sign out (may mangle POST data).

  • cas_attribute_prefix (Optional[String]) (defaults to: undef)

    Adds a header with the value of this header being the attribute values when SAML validation is enabled.

  • cas_attribute_delimiter (Optional[String]) (defaults to: undef)

    Sets the delimiter between attribute values in the header created by ‘cas_attribute_prefix`.

  • cas_scrub_request_headers (Optional[String]) (defaults to: undef)

    Remove inbound request headers that may have special meaning within mod_auth_cas.

  • suppress_warning (Boolean) (defaults to: false)

    Suppress warning about being on RedHat (mod_auth_cas package is now available in epel-testing repo).

See Also:



87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# File 'manifests/mod/auth_cas.pp', line 87

class apache::mod::auth_cas (
  String $cas_login_url,
  String $cas_validate_url,
  String $cas_cookie_path                     = $apache::params::cas_cookie_path,
  Stdlib::Filemode $cas_cookie_path_mode      = '0750',
  Integer $cas_version                        = 2,
  String $cas_debug                           = 'Off',
  Optional[String] $cas_validate_server       = undef,
  Optional[String] $cas_validate_depth        = undef,
  Optional[String] $cas_certificate_path      = undef,
  Optional[String] $cas_proxy_validate_url    = undef,
  Optional[String] $cas_root_proxied_as       = undef,
  Optional[String] $cas_cookie_entropy        = undef,
  Optional[Integer[0]] $cas_timeout           = undef,
  Optional[Integer[0]] $cas_idle_timeout      = undef,
  Optional[String] $cas_cache_clean_interval  = undef,
  Optional[String] $cas_cookie_domain         = undef,
  Optional[String] $cas_cookie_http_only      = undef,
  Optional[String] $cas_authoritative         = undef,
  Optional[String] $cas_validate_saml         = undef,
  Optional[String] $cas_sso_enabled           = undef,
  Optional[String] $cas_attribute_prefix      = undef,
  Optional[String] $cas_attribute_delimiter   = undef,
  Optional[String] $cas_scrub_request_headers = undef,
  Boolean $suppress_warning                   = false,
) inherits apache::params {
  if $facts['os']['family'] == 'RedHat' and ! $suppress_warning {
    warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.')
  }

  include apache
  include apache::mod::authn_core
  ::apache::mod { 'auth_cas': }

  file { $cas_cookie_path:
    ensure => directory,
    before => File['auth_cas.conf'],
    mode   => $cas_cookie_path_mode,
    owner  => $apache::user,
    group  => $apache::group,
  }

  $parameters = {
    'cas_cookie_path'           => $cas_cookie_path,
    'cas_login_url'             => $cas_login_url,
    'cas_validate_url'          => $cas_validate_url,
    'cas_version'               => $cas_version,
    'cas_debug'                 => $cas_debug,
    'cas_certificate_path'      => $cas_certificate_path,
    'cas_proxy_validate_url'    => $cas_proxy_validate_url,
    'cas_validate_server'       => $cas_validate_server,
    'cas_validate_depth'        => $cas_validate_depth,
    'cas_root_proxied_as'       => $cas_root_proxied_as,
    'cas_cookie_entropy'        => $cas_cookie_entropy,
    'cas_timeout'               => $cas_timeout,
    'cas_idle_timeout'          => $cas_idle_timeout,
    'cas_cache_clean_interval'  => $cas_cache_clean_interval,
    'cas_cookie_domain'         => $cas_cookie_domain,
    'cas_cookie_http_only'      => $cas_cookie_http_only,
    'cas_authoritative'         => $cas_authoritative,
    'cas_sso_enabled'           => $cas_sso_enabled,
    'cas_validate_saml'         => $cas_validate_saml,
    'cas_attribute_prefix'      => $cas_attribute_prefix,
    'cas_attribute_delimiter'   => $cas_attribute_delimiter,
    'cas_scrub_request_headers' => $cas_scrub_request_headers,
  }

  # Template uses
  # - All variables beginning with cas_
  file { 'auth_cas.conf':
    ensure  => file,
    path    => "${apache::mod_dir}/auth_cas.conf",
    mode    => $apache::file_mode,
    content => epp('apache/mod/auth_cas.conf.epp', $parameters),
    require => [Exec["mkdir ${apache::mod_dir}"],],
    before  => File[$apache::mod_dir],
    notify  => Class['Apache::Service'],
  }
}