CAS (Central Authentication Service) login for eGroupware

login.php

@@ -1,40 +1,92 @@
 <?php
-	/**************************************************************************\
-	* eGroupWare login                                                         *
-	* http://www.egroupware.org                                                *
-	* Originaly written by Dan Kuykendall <seek3r@phpgroupware.org>            *
-	*                      Joseph Engo    <jengo@phpgroupware.org>             *
-	* --------------------------------------------                             *
-	*  This program is free software; you can redistribute it and/or modify it *
-	*  under the terms of the GNU General Public License as published by the   *
-	*  Free Software Foundation; either version 2 of the License, or (at your  *
-	*  option) any later version.                                              *
-	\**************************************************************************/
+/**
+ * eGroupWare - Login
+ *
+ * @link http://www.egroupware.org
+ * @author Dan Kuykendall <seek3r@phpgroupware.org>
+ * @author Joseph Engo <jengo@phpgroupware.org>
+ * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
+ * @package api
+ * @subpackage authentication
+ * @version $Id$
+ */
 
-	/* $Id$ */
+$submit = False;			// set to some initial value
 
-	$submit = False;			// set to some initial value
+$GLOBALS['egw_info'] = array('flags' => array(
+	'disable_Template_class'  => True,
+	'login'                   => True,
+	'currentapp'              => 'login',
+));
 
-	$GLOBALS['egw_info'] = array('flags' => array(
-		'disable_Template_class'  => True,
-		'login'                   => True,
-		'currentapp'              => 'login',
-	));
-
-	if(file_exists('./header.inc.php'))
-	{
-		include('./header.inc.php');
-		if(!function_exists('CreateObject'))
-		{
-			Header('Location: setup/index.php');
-			exit;
-		}
-	}
-	else
+if(file_exists('./header.inc.php'))
+{
+	include('./header.inc.php');
+	if(!function_exists('CreateObject'))
 	{
 		Header('Location: setup/index.php');
 		exit;
 	}
+}
+else
+{
+	Header('Location: setup/index.php');
+	exit;
+}
+
+// CAS :
+if($GLOBALS['egw_info']['server']['auth_type'] == 'cas')
+{
+	ob_end_clean();
+
+	require_once('CAS/CAS.php');
+
+	//phpCAS::setDebug('/var/log/log_phpcas.php');
+
+	if($GLOBALS['egw_info']['server']['cas_authentication_mode'] == 'Proxy')
+	{
+		phpCAS::proxy(CAS_VERSION_2_0,
+			$GLOBALS['egw_info']['server']['cas_server_host_name'],
+			(int) $GLOBALS['egw_info']['server']['cas_server_port'],
+			$GLOBALS['egw_info']['server']['cas_server_uri'] );
+	}
+	else
+	{
+		phpCAS::client(CAS_VERSION_2_0,
+			$GLOBALS['egw_info']['server']['cas_server_host_name'],
+			(int) $GLOBALS['egw_info']['server']['cas_server_port'],
+			$GLOBALS['egw_info']['server']['cas_server_uri'] );
+	}
+
+	if($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'PEMCertificate')
+	{
+		// Set the certificate of the CAS server (PEM Certificate)
+		phpCAS::setCasServerCert($GLOBALS['egw_info']['server']['cas_cert']);
+	}
+	elseif($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'CACertificate')
+	{
+		// Set the CA certificate of the CAS server
+		phpCAS::setCasServerCACert($GLOBALS['egw_info']['server']['cas_cert']);
+	}
+	elseif($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'No')
+	{
+		// no SSL validation for the CAS server
+		phpCAS::setNoCasServerValidation();
+	}
+
+	phpCAS::forceAuthentication();
+
+	ob_start();
+
+	$login = phpCAS::getUser();
+	$password = phpCAS::retrievePT("imap://".$GLOBALS['egw_info']['server']['mail_server'],$err_code,$output);
+	$GLOBALS['sessionid'] = $GLOBALS['egw']->session->create($login,$password,'text','u');
+
+	/* set auth_cookie */
+	$GLOBALS['egw']->redirect_link($forward,$extra_vars);
+}
+else
+{
 	$GLOBALS['egw_info']['server']['template_dir'] = EGW_SERVER_ROOT . '/phpgwapi/templates/' . $GLOBALS['egw_info']['login_template_set'];
 
 	// read the images from the login-template-set, not the (maybe not even set) users template-set
@@ -345,3 +397,4 @@
 	}
 
 	$GLOBALS['egw']->framework->login_screen($extra_vars);
+}

logout.php

@@ -1,77 +1,86 @@
 <?php
-	/**************************************************************************\
-	 * eGroupWare                                                               *
-	 * http://www.egroupware.org                                                *
-	 * Written by Joseph Engo <jengo@phpgroupware.org>                          *
-	 * --------------------------------------------                             *
-	 *  This program is free software; you can redistribute it and/or modify it *
-	 *  under the terms of the GNU General Public License as published by the   *
-	 *  Free Software Foundation; either version 2 of the License, or (at your  *
-	 *  option) any later version.                                              *
-	 \**************************************************************************/
+/**
+ * eGroupWare - Logout
+ *
+ * @link http://www.egroupware.org
+ * @author Joseph Engo <jengo@phpgroupware.org>
+ * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
+ * @package api
+ * @subpackage authentication
+ * @version $Id$
+ */
 
-	/* $Id$ */
+$GLOBALS['egw_info'] = array(
+	'flags' => array(
+		'disable_Template_class' => True,
+		'currentapp'             => 'logout',
+		'noheader'               => True,
+		'nofooter'               => True,
+		'nonavbar'               => True
+	)
+);
+include('./header.inc.php');
 
-	$GLOBALS['egw_info'] = array(
-		'flags' => array(
-			'disable_Template_class' => True,
-			'currentapp'             => 'logout',
-			'noheader'               => True,
-			'nofooter'               => True,
-			'nonavbar'               => True
-		)
-	);
-	include('./header.inc.php');
+$GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE'));
+$GLOBALS['kp3']       = get_var('kp3',array('GET','COOKIE'));
 
-	$GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE'));
-	$GLOBALS['kp3']       = get_var('kp3',array('GET','COOKIE'));
+$verified = $GLOBALS['egw']->session->verify();
 
-	$verified = $GLOBALS['egw']->session->verify();
+if(!$redirectTarget = $GLOBALS['egw']->session->appsession('referer', 'login'))
+{
+	$redirectTarget = $GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain'];
+}
 
-	if(!$redirectTarget = $GLOBALS['egw']->session->appsession('referer', 'login'))
+if($verified)
+{
+	$GLOBALS['egw']->hooks->process('logout');
+	$GLOBALS['egw']->session->destroy($GLOBALS['sessionid'],$GLOBALS['kp3']);
+}
+else
+{
+	if(is_object($GLOBALS['egw']->log))
 	{
-		$redirectTarget = $GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain'];
+		$GLOBALS['egw']->log->write(array(
+			'text' => 'W-VerifySession, could not verify session during logout',
+			'line' => __LINE__,
+			'file' => __FILE__
+		));
 	}
+}
+$GLOBALS['egw']->session->egw_setcookie('eGW_remember','',0,'/');
+$GLOBALS['egw']->session->egw_setcookie('sessionid');
+$GLOBALS['egw']->session->egw_setcookie('kp3');
+$GLOBALS['egw']->session->egw_setcookie('domain');
 
-	if($verified)
-	{
-		$GLOBALS['egw']->hooks->process('logout');
-		$GLOBALS['egw']->session->destroy($GLOBALS['sessionid'],$GLOBALS['kp3']);
-	}
-	else
-	{
-		if(is_object($GLOBALS['egw']->log))
-		{
-			$GLOBALS['egw']->log->write(array(
-				'text' => 'W-VerifySession, could not verify session during logout',
-				'line' => __LINE__,
-				'file' => __FILE__
-			));
-		}
-	}
-	$GLOBALS['egw']->session->egw_setcookie('eGW_remember','',0,'/');
-	$GLOBALS['egw']->session->egw_setcookie('sessionid');
-	$GLOBALS['egw']->session->egw_setcookie('kp3');
-	$GLOBALS['egw']->session->egw_setcookie('domain');
+if($GLOBALS['egw_info']['server']['auth_type'] == 'cas')
+{
+	require_once('CAS/CAS.php');
 
-	// $GLOBALS['egw']->redirect($redirectTarget);
+	phpCAS::client(CAS_VERSION_2_0,
+								$GLOBALS['egw_info']['server']['cas_server_host_name'],
+								(int) $GLOBALS['egw_info']['server']['cas_server_port'],
+								$GLOBALS['egw_info']['server']['cas_server_uri'] );
+	phpCAS::logout($GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain']);
+}
+
+// $GLOBALS['egw']->redirect($redirectTarget);
 ?>
 <head>
 <script language="javascript">
 function clearAuthenticationCache(page)
-{ 
-	// Default to a non-existing page (give error 500). 
-	// An empty page is better, here. 
-	if (!page) page = '.force_logout'; 
+{
+	// Default to a non-existing page (give error 500).
+	// An empty page is better, here.
+	if (!page) page = '.force_logout';
 
 	try
-	{ 
-		var agt=navigator.userAgent.toLowerCase(); 
+	{
+		var agt=navigator.userAgent.toLowerCase();
 		if (agt.indexOf("msie") != -1)
-		{ 
-			// IE clear HTTP Authentication 
-			document.execCommand("ClearAuthenticationCache"); 
-		} 
+		{
+			// IE clear HTTP Authentication
+			document.execCommand("ClearAuthenticationCache");
+		}
 		else
 		{
 			var xmlhttp;
@@ -80,28 +89,28 @@ function clearAuthenticationCache(page)
 				xmlhttp = new XMLHttpRequest();
 			}
 			else if (window.ActiveXObject)
-			{ 
-				xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); 
+			{
+				xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
 			}
 			else
 			{
 				return;
 			}
 
-			// Let's prepare invalid credentials 
-			xmlhttp.open("GET", page, true, "logout", "logout"); 
-			// Let's send the request to the server 
-			xmlhttp.send(""); 
-			// Let's abort the request 
-			xmlhttp.abort(); 
-		} 
+			// Let's prepare invalid credentials
+			xmlhttp.open("GET", page, true, "logout", "logout");
+			// Let's send the request to the server
+			xmlhttp.send("");
+			// Let's abort the request
+			xmlhttp.abort();
+		}
 	}
 	catch(e)
-	{ 
+	{
 		alert("An exception occurred in the script. Error name: " + e.name + ". Error message: " + e.message);
-		// There was an error 
-		return; 
-	} 
+		// There was an error
+		return;
+	}
 }
 </script>
 <meta http-equiv="refresh" content="1;url=<?php echo $redirectTarget ?>">

phpgwapi/inc/class.auth_cas.inc.php

@@ -0,0 +1,67 @@
+<?php
+/**
+ * eGroupWare API - Authentication from CAS
+ *
+ * @link http://www.egroupware.org
+ * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
+ * @package api
+ * @subpackage authentication
+ * @version $Id$
+ */
+
+/**
+ * eGroupWare API - Authentication based on CAS (Central Authetication Service)
+ */
+class auth_
+{
+	var $previous_login = -1;
+
+	/**
+	 * authentication against CAS
+	 *
+	 * @param string $username username of account to authenticate
+	 * @param string $passwd corresponding password
+	 * @return boolean true if successful authenticated, false otherwise
+	 */
+	function authenticate($username, $passwd)
+	{
+		/* if program goes here, authenticate is, normaly, already verified by CAS */
+		if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap' &&
+			$GLOBALS['egw_info']['server']['account_repository'] != 'ldsq') /* For anonymous LDAP connection */
+		{
+			if (!($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u')) &&
+				$GLOBALS['egw_info']['server']['auto_create_acct'])
+			{
+				// create a global array with all availible info about that account
+				$GLOBALS['auto_create_acct'] = array();
+				foreach(array(
+					'givenname' => 'firstname',
+					'sn'        => 'lastname',
+					'uidnumber' => 'id',
+					'mail'      => 'email',
+					'gidnumber' => 'primary_group',
+					) as $ldap_name => $acct_name)
+				{
+					$GLOBALS['auto_create_acct'][$acct_name] = $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
+				}
+				return True;
+			}
+			return $id && $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A' && phpCAS::checkAuthentication();
+		}
+		return phpCAS::checkAuthentication();
+	}
+
+	/**
+	 * changes password in CAS
+	 *
+	 * @param string $old_passwd must be cleartext or empty to not to be checked
+	 * @param string $new_passwd must be cleartext
+	 * @param int $account_id account id of user whose passwd should be changed
+	 * @return boolean true if password successful changed, false otherwise
+	 */
+	function change_password($old_passwd, $new_passwd, $account_id=0)
+	{
+		/* Not allowed */
+		return false;
+	}
+}

setup/lang/egw_de.lang

@@ -75,6 +75,7 @@ at your request, this script is going to take the evil action of uninstalling al
 attempt to use correct mimetype for ftp instead of default 'application/octet-stream'	setup	de	Soll versucht werden den korrekten MIME-typ für FTP zu verwenden statt dem Vorgabewert "application/octet-stream"
 authentication / accounts	setup	de	Authentifizierung / Benutzerkonten
 authentication type for application	setup	de	Authentifizierungstyp für die Anwendung
+authentification mode:	setup	de	Art der Authentifizierung:
 auto create account records for authenticated users	setup	de	Benutzerkonten für authentifizierte Benutzer automatisch anlegen
 auto login anonymous user	setup	de	Anonymen Benutzer automatisch einlogen
 auto-created user accounts expire	setup	de	Automatisch angelegte Benutzerkonten laufen ab in
@@ -103,12 +104,17 @@ because of a failed upgrade, or the database is newer than the installed version
 because the enable flag for this app is set to 0, or is undefined	setup	de	weil der verfügbar-Eintrag für diese Applikation auf 0 gesetzt oder undefiniert ist
 bottom	setup	de	unten
 but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>these automated scripts can easily destroy your data.</strong>	setup	de	Aber wir <u>raten Ihnen dringend, eine Sicherungskopie</u> anzulegen f&uuml;r den Fall, dass dieses Skript Ihre bestehenden Daten besch&auml;digt!<br /><strong>Diese automatisierten Skripts k&ouml;nnen leicht Ihre Daten besch&auml;digen!.</strong>
+ca certificate	setup	de	CA Zertifikat
 can not connect to %1 database %2 on host %3 using user %4!	setup	de	Kann nicht zur %1 Datenbank %2 auf Rechner %3 als Benutzer %4 verbinden!
 can not connect to ldap server on host %1 using dn %2!	setup	de	Kann nicht zu LDAP Server auf Rechner %1 als DN %2 verbinden!
 can not create %1 database %2 on %3 for user %4!	setup	de	Kann keine %1 Datenbank %2 auf Rechner %3 für Benutzer %4 anlegen!
 can not create dn %1!	setup	de	Kann DN %1 nicht anlegen!
 cancel	setup	de	Abbrechen
 cannot create the header.inc.php due to file permission restrictions.<br /> instead you can %1 or %2 the file.	setup	de	Kann die Datei header.inc.php wegen unzureichenden Zugriffsrechten nicht erzeugen.<br />Stattdessen können Sie die Datei %1 oder %2.
+cas server host name:<br />example: sso-cas.univ-rennes1.fr	setup	de	CAS Server Host Name: (z.B.: sso-cas-univ-rennes1.fr):
+cas server port:<br />example: 443	setup	de	CAS Server Port (zB. 443):
+cas server uri:	setup	de	CAS Server URI:
+certificate (pem or ca):	setup	de	Zertifikat (PEM oder CA):
 change system-charset	setup	de	Systemzeichensatz wechseln
 charset	setup	de	utf-8
 charset to convert to	setup	de	Zeichensatz in den konvertiert werden soll
@@ -291,6 +297,7 @@ if no acl records for user or any group the user is a member of	setup	de	Wenn es
 if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module.	setup	de	Wenn safe_mode eingeschaltet ist, kann eGW verschiedene Einstellungen nicht mehr zur Laufzeit ändern, noch können wir nicht geladene Erweiterungen (php extensions) laden.
 if the application has no defined tables, selecting upgrade should remedy the problem	setup	de	Wenn die Anwendung keine definierten Tabellen hat, wählen Sie überarbeiten. Das Problem sollte damit behoben werden.
 if using ads (active directory) authentication	setup	de	Wenn Sie ADS (Active Directory) Authentifizierung benutzen
+if using cas (central authentication service):	setup	de	Wenn Sie CAS (Central Authentication Service) benutzen
 if using ldap	setup	de	Wenn Sie LDAP verwenden
 if using ldap, do you want to manage homedirectory and loginshell attributes?	setup	de	Wenn Sie LDAP verwenden, wollen Sie Benutzerverzeichnisse und Komandointerpreter verwalten ?
 if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files.	setup	de	Wenn Sie nur die Documentroot erreichen können, wählen Sie bei Inhalt von Dateien speichern <b>Datenbank</b> UND benutzern Sie hier den Pfad für temporäre Dateien.
@@ -412,7 +419,10 @@ path to various directories: have to exist and be writeable by the webserver	set
 pear (%1) is a php repository and is usually in a package called %2.	setup	de	PEAR (%1) ist eine PHP Sammlung und ist überlicherweise in einem Packet namens %2.
 pear extensions are required by many egroupware applications, pear itself is the required basis for each extension!	setup	de	PEAR Erweiterungen werden von vielen eGroupware Anwendungen benötigt, PEAR selbst ist die Basis für diese Erweiterungen!
 pear%1 is needed by: %2.	setup	de	PEAR%1 wird benötigt von: %2.
+pem certificate	setup	de	PEM Zertifikat
 persistent connections	setup	de	Permanente Verbindungen
+php client	setup	de	PHP Klient
+php proxy	setup	de	PHP Proxy
 php session handler enabled in php.ini	setup	de	PHP Sitzungshandler aus der php.ini
 please check for sql scripts within the application's directory	setup	de	Bitte suchen Sie ein SQL Skript im Verzeichnis der Anwendung
 please check read/write permissions on directories, or back up and use another option.	setup	de	Bitte überprüfen Sie die Lese/Schreib-Rechte der Verzeichnisse oder gehen Sie zurück und benutzen eine andere Option.
@@ -500,6 +510,7 @@ smtp server port	setup	de	SMTP Server Port
 some or all of its tables are missing	setup	de	Einige oder alle Tabellen fehlen
 sources deleted/missing	setup	de	Quellen gelöscht/fehlen
 sql encryption type	setup	de	SQL-Verschlüsselungstyp für das Passwort (Vorgabe MD5)
+ssl validation:	setup	de	SSL Validierung:
 standard (login-name identical to egroupware user-name)	setup	de	Standard (Loginname identisch zu eGroupWare Benutzername)
 standard mailserver settings (used for mail authentication too)	setup	de	Standard Mailserver Einstellungen (werden auch für die Mail Authentifizierung benutzt)
 standard, as defined above	setup	de	Standard, wie darüber definiert

setup/lang/egw_en.lang

@@ -75,6 +75,7 @@ at your request, this script is going to take the evil action of uninstalling al
 attempt to use correct mimetype for ftp instead of default 'application/octet-stream'	setup	en	Attempt to use correct mimetype for FTP instead of default 'application/octet-stream'
 authentication / accounts	setup	en	Authentication / Accounts
 authentication type for application	setup	en	Authentication type for application
+authentification mode:	setup	en	Authentification mode:
 auto create account records for authenticated users	setup	en	Auto create account records for authenticated users
 auto login anonymous user	setup	en	Auto login anonymous user
 auto-created user accounts expire	setup	en	Auto-created user accounts expire
@@ -103,12 +104,17 @@ because of a failed upgrade, or the database is newer than the installed version
 because the enable flag for this app is set to 0, or is undefined	setup	en	because the enable flag for this app is set to 0, or is undefined
 bottom	setup	en	bottom
 but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>these automated scripts can easily destroy your data.</strong>	setup	en	but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>These automated scripts can easily destroy your data.</strong>
+ca certificate	setup	en	CA certificate
 can not connect to %1 database %2 on host %3 using user %4!	setup	en	Can not connect to %1 database %2 on host %3 using user %4!
 can not connect to ldap server on host %1 using dn %2!	setup	en	Can not connect to LDAP server on host %1 using DN %2!
 can not create %1 database %2 on %3 for user %4!	setup	en	Can not create %1 database %2 on %3 for user %4!
 can not create dn %1!	setup	en	Can not create DN %1!
 cancel	setup	en	Cancel
 cannot create the header.inc.php due to file permission restrictions.<br /> instead you can %1 or %2 the file.	setup	en	Cannot create the header.inc.php due to file permission restrictions.<br /> Instead you can %1 or %2 the file.
+cas server host name:<br />example: sso-cas.univ-rennes1.fr	setup	en	cas server host name:<br />example: sso-cas.univ-rennes1.fr
+cas server port:<br />example: 443	setup	en	cas server port:<br />Example: 443
+cas server uri:	setup	en	cas server uri:
+certificate (pem or ca):	setup	en	Certificate (PEM or CA):
 change system-charset	setup	en	Change system-charset
 charset	setup	en	utf-8
 charset to convert to	setup	en	Charset to convert to
@@ -289,6 +295,7 @@ if no acl records for user or any group the user is a member of	setup	en	If no A
 if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module.	setup	en	If safe_mode is turned on, eGW is not able to change certain settings on runtime, nor can we load any not yet loaded module.
 if the application has no defined tables, selecting upgrade should remedy the problem	setup	en	If the application has no defined tables, selecting upgrade should remedy the problem
 if using ads (active directory) authentication	setup	en	If using ADS (Active Directory) authentication
+if using cas (central authentication service):	setup	en	if using cas (Central Authentication Service):
 if using ldap	setup	en	If using LDAP
 if using ldap, do you want to manage homedirectory and loginshell attributes?	setup	en	If using LDAP, do you want to manage homedirectory and loginshell attributes?
 if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files.	setup	en	If you can only access the docroot choose <b>Database</b> for where to store the file content AND use same path as for temporary files.
@@ -410,7 +417,10 @@ path to various directories: have to exist and be writeable by the webserver	set
 pear (%1) is a php repository and is usually in a package called %2.	setup	en	PEAR (%1) is a PHP repository and is usually in a package called %2.
 pear extensions are required by many egroupware applications, pear itself is the required basis for each extension!	setup	en	PEAR extensions are required by many eGroupware applications, PEAR itself is the required basis for each extension!
 pear%1 is needed by: %2.	setup	en	PEAR%1 is needed by: %2.
+pem certificate	setup	en	PEM certificate
 persistent connections	setup	en	Persistent connections
+php client	setup	en	PHP client
+php proxy	setup	en	PHP proxy
 php session handler enabled in php.ini	setup	en	PHP session handler enabled in php.ini
 please check for sql scripts within the application's directory	setup	en	Please check for sql scripts within the application's directory
 please check read/write permissions on directories, or back up and use another option.	setup	en	Please check read/write permissions on directories, or back up and use another option.
@@ -498,6 +508,7 @@ smtp server port	setup	en	SMTP server port
 some or all of its tables are missing	setup	en	Some or all of its tables are missing
 sources deleted/missing	setup	en	Sources deleted/missing
 sql encryption type	setup	en	SQL encryption type for passwords (default - md5)
+ssl validation:	setup	en	SSL validation:
 standard (login-name identical to egroupware user-name)	setup	en	standard (login-name identical to eGroupWare user-name)
 standard mailserver settings (used for mail authentication too)	setup	en	Standard mailserver settings (used for Mail authentication too)
 standard, as defined above	setup	en	Standard, as defined above

setup/lang/egw_fr.lang

@@ -638,3 +638,15 @@ your tables will be dropped and you will lose data	setup	fr	Vos tables seront su
 your temporary directory '%1' %2	setup	fr	Votre répertoire temporaire '%1' %2
 {db | php(default) | php-restore}	setup	fr	{db | php(par défaut) | php-restore}
 {off(default) | on}	setup	fr	{off(par défaut) | on}
+authentification mode:	setup	fr	Mode d'authentification :
+ca certificate	setup	fr	Certificat CA
+cas server host name:<br />example: sso-cas.univ-rennes1.fr	setup	fr	Nom du serveur CAS hôte :<br />Exemple : sso-cas.univ-rennes1.fr
+cas server port:<br />Example: 443	setup	fr	Port du serveur CAS :<br />Exemple : 443
+cas server uri:	setup	fr	URI du serveur CAS :
+certificate (pem or ca):	setup	fr	Certificat (PEM ou CA) :
+if using cas (central authentication service):	setup	fr	Si vous utilisez l'authentification CAS (Central Authentication Service) :
+pem certificate	setup	fr	Certificat PEM
+php client	setup	fr	php Client
+php proxy	setup	fr	php Proxy
+ssl validation:	setup	fr	Validation SSL :
+

setup/templates/default/config.tpl

@@ -216,6 +216,7 @@
       <option value="http"{selected_auth_type_http}>HTTP</option>
       <option value="nis"{selected_auth_type_nis}>NIS</option>
       <option value="pam"{selected_auth_type_pam}>PAM</option>
+      <option value="cas"{selected_auth_type_cas}>CAS</option>
      </select>
     </td>
    </tr>
@@ -464,6 +465,55 @@
     </td>
    </tr>
 
+   <tr class="th">
+    <td colspan="2"><b>{lang_If_using_CAS_(Central_Authentication_Service):}</b></td>
+   </tr>
+
+   <tr class="row_off">
+    <td>{lang_CAS_server_host_name:<br />Example:_sso-cas.univ-rennes1.fr}</td>
+    <td><input name="newsettings[cas_server_host_name]" value="{value_cas_server_host_name}" size="40" /></td>
+   </tr>
+
+   <tr class="row_off">
+    <td>{lang_CAS_server_port:<br />Example:_443}</td>
+    <td><input name="newsettings[cas_server_port]" value="{value_cas_server_port}" size="40" /></td>
+   </tr>
+
+   <tr class="row_off">
+    <td>{lang_CAS_server_uri:}</td>
+    <td><input name="newsettings[cas_server_uri]" value="{value_cas_server_uri}" size="40" /></td>
+   </tr>
+
+   <tr class="row_off">
+    <td>{lang_Authentification_mode:}</td>
+    <td>
+     <select name="newsettings[cas_authentication_mode]">
+      <option value="Client"{selected_cas_authentication_mode_Client}>{lang_php_Client}</option>
+      <option value="Proxy"{selected_cas_authentication_mode_Proxy}>{lang_php_Proxy}</option>
+     </select>
+    </td>
+   </tr>
+
+   <tr class="row_off">
+    <td>{lang_SSL_validation:}</td>
+    <td>
+     <select name="newsettings[cas_ssl_validation]">
+      <option value="No"{selected_cas_ssl_validation_No}>{lang_No}</option>
+      <option value="PEMCertificate"{selected_cas_ssl_validation_PEMCertificate}>{lang_PEM_Certificate}</option>
+      <option value="CACertificate"{selected_cas_ssl_validation_CACertificate}>{lang_CA_Certificate}</option>
+     </select>
+    </td>
+   </tr>
+
+   <tr class="row_off">
+    <td>{lang_Certificate_(PEM_or_CA):}</td>
+    <td><input name="newsettings[cas_cert]" value="{value_cas_cert}" size="40" /></td>
+   </tr>
+
+   <tr class="row_on">
+    <td colspan="2">&nbsp;</td>
+   </tr>
+
    <tr class="th">
     <td colspan="2"><b>{lang_If_using_ADS_(Active_Directory)_authentication}:</b></td>
    </tr>