Voici ce que j'ai dans config.php :
// CAS authentication
$casEnabled = true;
$casAuthServer = 'cas.domaine.fr';
$casAuthPort = 443;
$casAuthUri = '/cas/login?service=http://limesurvey.domaine.fr/admin';
# pour mon_login_check_cas.php (les variables de configuration n'ont pas le même nom).
$casAuthServerPort = 443;
$casAuthServerURI = '/cas';
$casAuthServiceURI = 'serviceUri';
Dans admin/admin.php :
if($casEnabled==true)
{
include_once("mon_login_check_cas.php");
}
else
{
include_once('login_check.php');
}
Et dans admin/mon_login_cas.php :
<?php
if (!isset($dbprefix) || isset($_REQUEST['dbprefix'])) {die("Cannot run this script directly");}
if (!isset($action)) {$action=returnglobal('action');}
openlog('phpCAS', LOG_NDELAY, LOG_LOCAL0);
// we need CAS client all the script along.
_init_cas_lib();
if(!isset($_SESSION['CASauthenticated']) || (isset($_SESSION['CASauthenticated']) && $_SESSION['CASauthenticated']==FALSE) /* || isset($_REQUEST['action']) */)
{
if(phpCAS::isAuthenticated())
{
//global $PHPCAS_CLIENT;
// $user = $_GET['user'];
$action = getGet('action');
$siddy = getGet('sid');
$get = '?';
if($action!=FALSE)
$get .= "action=".$action."&";
if($siddy!=FALSE)
$get .= "sid=".$siddy."&";
//if($user == verifyToken($token) && verifyToken($token) != null)
setUserRightsCas(phpCAS::getUser());
$_SESSION['CASauthenticated'] = TRUE;
//header("Location: admin.php$get");
return 0;
}
// if action is logout we do not need to do an authentication
if ($action == 'logout')
//return;
die('You have to be logged in before to be logged out.');
// if ticket is *NOT* valid we do an authentication.
// we don't need to handle ST check here, it will be done the next request.
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
}
else
{
syslog(LOG_DEBUG, "Exiting CAS management");
}
// THERE IS an CAS authentication but we want to be logged out.
if (isset($_REQUEST['action']) && $_REQUEST['action']=='logout')
{
//session_unset();
session_destroy();
session_write_close();
phpCAS::logout();
}
function _init_cas_lib()
{
require_once('classes/phpCAS/CAS.php');
require_once('../config-defaults.php');
global $casAuthServer, $casAuthServerPort, $casAuthServerURI, $casAuthServiceURI;
if (empty($casAuthServer))
die('CAS server is not defined. Set $casAuthServer in config-defaults.php');
if (empty($casAuthServerPort))
$casAuthServerPort = 443;
if (empty($casAuthServerURI))
$casAuthServerURI = '/';
if (empty($casAuthDebug))
$casAuthDebug = FALSE;
/*
CAS client find current URL by itself. So it is not necessary here.
if (empty($casAuthServiceURI))
//$casAuthServiceURI = $_SERVER['HTTP_SCHEME'] . '://' . $_SERVER['SERVER_NAME'] . '/' . $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'];
$casAuthServiceURI = 'http://' . $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI'];
*/
if ($casAuthDebug == TRUE)
{
phpCAS::setDebug();
}
elseif (is_writeable((string)$casAuthDebug))
{
phpCAS::setDebug((string)$casAuthDebug);
}
phpCAS::client(CAS_VERSION_2_0, $casAuthServer, $casAuthServerPort, $casAuthServerURI, false /* no session start */);
phpCAS::setNoCasServerValidation();
return 0;
}
function getGet($var)
{
switch ($var){
case "all":
foreach($_GET as $get)
{
return;
}
break;
default:
if(isset($_GET["$var"]))
{
return $_GET["$var"];
}
else return FALSE;
break;
}
}
function verifyTicket($ticket)
{
return phpCAS::validateST($ticket);
}
#function verifyToken($token) {
# global $singleSignOnService, $singleSignOnSharedSecret;
#
# // check the configuration options in LocalSettings.php
# //QISSingleSignOn::checkConfiguration();
#
# //echo ('QISSingleSignOn: token:'.htmlspecialchars($token));
// prepare token
# $tokens = explode('/', $token, 4);
# if ((count($tokens) != 4) or (strpos($tokens[3], '/') === false)) {
# echo ('QISSingleSignOn: Token incomplete:'.htmlspecialchars($token));
# return null;
# }
// find the _last_ '/' to split username and hash as the username may include '/'-chars.
# $temp_pos = strrpos($tokens[3], '/');
# $tokens[4] = substr($tokens[3], $temp_pos + 1);
# $tokens[3] = substr($tokens[3], 0, $temp_pos);
// check version
# if ($tokens[0] != '1.0') {
# echo ('QISSingleSignOn: Unknown version:'.htmlspecialchars($tokens));
# return null;
# }
// check time
# $currentTime = microtime();
# $currentTime = substr($currentTime, strpos($currentTime, ' '));
# if (intval($tokens[1]) > intval($currentTime) + 60) {
# echo ('QISSingleSignOn: Token was created in the future (Check your clocks):'.htmlspecialchars($token));
# return null;
# }
# if (intval($tokens[1]) + 60 < intval($currentTime)) {
# echo ('QISSingleSignOn: Token expired:'.htmlspecialchars($token));
# return null;
# }
// check service name
# if ($tokens[2] != $singleSignOnService) {
# echo ('QISSingleSignOn: Wrong service:'.htmlspecialchars($token));
# return null;
# }
// check username name (using Title::newFormText as in User::newFromName)
# $userinfo = explode('/', urldecode($tokens[3]));
// Andere Methode wie bei tokens: find the _last_ '/' to split username and hash as the username may include '/'-chars.
// $temp_pos = strrpos($tokens[3], '/');
// $userinfo[1] = substr($tokens[3], $temp_pos + 1);
// $userinfo[0] = substr($tokens[3], 0, $temp_pos);
// echo ('QISSingleSignOn: userinfo-0:'.$userinfo[0]."\n");
// echo ('QISSingleSignOn: userinfo-1:'.$userinfo[1]."\n");
//$t = Title::newFromText($userinfo[0]);
# $user = $userinfo[0];
# if ($user == null) {
# echo ('QISSingleSignOn: Invalid character in user name: '.htmlspecialchars($userinfo[0]));
# return null;
# }
// check hash
# $toHash = $tokens[0].'/'.$tokens[1].'/'.$tokens[2].'/'.$tokens[3].'/'.$singleSignOnSharedSecret;
# $hash = md5($toHash);
# if ($hash != $tokens[4]) {
# echo ('QISSingleSignOn: Hash verification failed:'.htmlspecialchars($token).' Should be: ' . $hash);
# return null;
# }
// copy _ridlist to session for WikiRights (if present)
# if (count($userinfo) > -1) {
//session_start();
# setUserRightsCas($user, $user);
//$_SESSION['_ridlist'] = $userinfo[1];
# }
// welcome, you passed all tests.
# return $user;
#}
function setUserRightsCas($user, $role="")
{
include_once("../config-defaults.php");
//include("../config.php"); //Not needed since config-defaults includes config.php
$sql = 'SELECT * FROM lime_users WHERE users_name = \'' . $user .'\'';
$db_set = db_execute_assoc($sql);
$uid = $db_set->Fields('uid');
if (!$uid)
{
mail('limesurvey@domaine.fr', '[limesurvey.domaine.fr] Tentative de connexion d\'un utilisateur non autorisé.', 'L\'utilisateur ' . $user . ' a tenté de se connecter sans être inscrit dans la base des utilisateurs de LimeSurvey.', "From: limesurvey@domaine.fr\r\nContent-Type: text/plain; charset=utf-8\r\n");
die('Vous devez auparavant contacter l\'administrateur (limesurvey@domaine.fr) avant de pouvoir accèder à l\'interface d\'administration de LimeSurvey.');
}
$_SESSION['user'] = $user;
$_SESSION['loginID'] = $uid;
$_SESSION['dateformat'] = $db_set->Fields('dateformat');
$_SESSION['adminlang'] = $db_set->Fields('lang');
$_SESSION['htmleditormode'] = $db_set->Fields('htmleditormode');
//$_SESSION['checksessionpost'] = randomkey(10);
$_SESSION['checksessionpost'] = sRandomChars(10);
$_SESSION['pw_notify']=false;
$_SESSION['USER_RIGHT_CREATE_SURVEY'] = $db_set->Fields('create_survey');
$_SESSION['USER_RIGHT_CONFIGURATOR'] = $db_set->Fields('configurator');
$_SESSION['USER_RIGHT_CREATE_USER'] = $db_set->Fields('create_user');
$_SESSION['USER_RIGHT_DELETE_USER'] = $db_set->Fields('delete_user');
$_SESSION['USER_RIGHT_SUPERADMIN'] = $db_set->Fields('superadmin');
$_SESSION['USER_RIGHT_MANAGE_TEMPLATE'] = $db_set->Fields('manage_template');
$_SESSION['USER_RIGHT_MANAGE_LABEL'] = $db_set->Fields('manage_label');
}
closelog();
Il faut que curl soit installé (sinon on a une page blanche).
Ça marche sur notre LS en version 1.91+.
Cordialement,
Alain Fréhel
