Common Authentication Service Adapter (CASA) 1.0 Overview 2.0 Documentation 3.0 Known Issues 4.0 Legal Notices 1.0 Overview Common Authentication Service Adapter (CASA) provides a common infrastructure for client authentication across the Linux* and Microsoft* Windows* desktops. Novell products (such as GroupWise, GroupWise Messenger, iPrint, Novell iFolder, and the Novell clients for Windows and Linux) are integrated with the miCASA interface and can take advantage of the credential store that provides the cornerstone for CASA. The main components of CASA on Linux are: - CASA Identity Development Kit (IDK): The IDK provides a set of APIs that application and service developers can use to write user/application credentials to the credential store. The IDK APIs internally store the credentials passed onto them by the applications in miCASAd. There are C, C++, C# and Java bindings available for the CASA IDK. - miCASAd: An active component that starts during boot time. On Linux, miCASAd is available in the run-levels 1, 2, 3 and 5. It runs with root privileges and is active as long as the system is up. It stores and provides credentials or secrets based on the Linux user identifier (uid) of the process that makes the IDK API calls. The credentials, which are stored by applications in miCASAd, are maintained in memory and written to disk for this release. Session-based secrets implies secrets that are stored in an in-memory cache, are available only as long as the user is in session on the desktop, and are destroyed when miCASA daemon is restarted or the user logs off. When the user logs back in, the secrets written to disk are read back into memory. - Login Credential Capture Module: On Linux, the login credential capture module is implemented as a PAM module. This PAM module captures the user's desktop login credentials and stores them in miCASAd using the IDK APIs. This PAM module is placed as the last module in the auth and session stacks of xdm, gdm, kdm, login and sshd PAM configuration files. The functionality of this module is to store the credentials in miCASAd. Any PAM module that uses the IDK APIs must set its effective user id temporarily to that of the user logging in (the user returned by calling pam_get_user()), if the credentials need to be stored against that user. There might be cases where the user obtained through pam_get_user() might not be the one against whom the PAM module actually intends to store credentials. 2.0 Documentation To read or print the documentation, you need Adobe Acrobat Reader 4.0 (http://www.adobe.com/prodindex/acrobat/readstep.html) . The document in this download was created as a standalone file; therefore, links to files in other downloads will not resolve. The download includes a single file: CASA_Reference_Guide.pdf in the [install directory]\doc directory. 3.0 Known issues - Secrets with IDs using reserved characters may fail. These will be fixed in a future release. Reserved characters are : \ - CASA Manager might report an error stating that miCASA Services are not available when selecting the 'File' option on the main menu. This problem is resolved by upgrading mono to the latest version (1.1.9 or later) available for download at http://www.mono-project.com/Downloads. - CASA install rpm that is intended for 32 bit architecture should not be installed on 64 bit architecture because it can cause runtime problems. - Since CASA is tied to the Linux login process via PAM, events that cause the system to become inconsistent or unstable may cause a user to be unable to login to the workstation. Some possible causes of inconsistency or instability are: - Installing 32 bit CASA RPMs on a 64 bit OS - Performing a hard reset on the machine Following the steps below will restore the ability to login. 1) Reboot machine 2) When boot loader menu appears, type "init=/bin/bash" (without quotes) on the options line and then Enter. This will cause the machine to boot into a command shell with root privileges. 3) At the command prompt type "chkconfig micasad off" (without quotes). This will prevent the CASA daemon from being loaded during bootup. 4) With a console based text editor (i.e. vi, emacs) remove all lines referencing the pam_micasa module in the following pam configuration files (some files may not exist depending on what desktop managers have been installed: - /etc/pam.d/gdm - /etc/pam.d/xdm - /etc/pam.d/kdm - /etc/pam.d/sshd - /etc/pam.d/login 5) At the command prompt type "init 5" (without quotes) to boot into runlevel 5. This will provide you with a graphical login prompt. You should be able to login at this point. After you have restored login capabilities, you will need to resolve the inconsistency that prevented login in the first place. If you had installed a 32 bit CASA package on a 64 bit OS, you will need to uninstall the 32 bit package and install a CASA package built for 64 bit architectures. If you are recovering from a hard reset no further action should be needed. To make it so CASA will run at boot time, open a shell and at the prompt type "chkconfig micasad 1235" (without quotes). This will cause micasad to be run at runlevels 1, 2, 3, and 5. - When logged in to a KDE session, the gnome-keyring-daemon does not run by default. Therefore, all apps that access the daemon, including our CASAManager will not be able to manage/access the gnome-keyring. You can manually start the daemon by running the following command from a shell prompt: gnome-keyring-daemon When the gnome-keyring-daemon starts, it prints the GNOME_KEYRING_SOCKET environment variable and its value to the terminal. In Gnome, the daemon is started and the environment variable is loaded into your X session environment by default, but in KDE, you will have to manually load it. To load this environment variable, run a command similar to the following command from a shell prompt (replacing the value of the environment variable with what the daemon output to the screen when you started it): export GNOME_KEYRING_SOCKET=/tmp/keyring-oaTsPs/socket Then you can run CASAManager GUI (from the same terminal you exported the variable from) and you will be able to manage and use the gnome-keyring in KDE just like you could if you were logged into Gnome. 4.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not use, export, or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright 2005 Novell, Inc. All rights reserved. Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License (GFDL), Version 1.2 or any later version, published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the GFDL can be found at http://www.fsf.org/licenses/fdl.html. THIS DOCUMENT AND MODIFIED VERSIONS OF THIS DOCUMENT ARE PROVIDED UNDER THE TERMS OF THE GNU FREE DOCUMENTATION LICENSE WITH THE FURTHER UNDERSTANDING THAT: 1. THE DOCUMENT IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE, OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY, ACCURACY, AND PERFORMANCE OF THE DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT IS WITH YOU. SHOULD ANY DOCUMENT OR MODIFIED VERSION PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL WRITER, AUTHOR OR ANY CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER; AND 2. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL THE AUTHOR, INITIAL WRITER, ANY CONTRIBUTOR, OR ANY DISTRIBUTOR OF THE DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES ARISING OUT OF OR RELATING TO USE OF THE DOCUMENT AND MODIFIED VERSIONS OF THE DOCUMENT, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries. AppNotes is a registered trademark of Novell, Inc. AppTester is a registered trademark of Novell, Inc. in the United States. ASM is a trademark of Novell, Inc. BorderManager is a registered trademark of Novell, Inc. BrainShare is a registered service mark of Novell, Inc. in the United States and other countries. C3PO is a trademark of Novell, Inc. Certified Novell Engineer is a service mark of Novell, Inc. Client32 is a trademark of Novell, Inc. CNE is a registered service mark of Novell, Inc. ConsoleOne is a registered trademark of Novell, Inc. Controlled Access Printer is a trademark of Novell, Inc. Custom 3rd-Party Object is a trademark of Novell, Inc. DeveloperNet is a registered trademark of Novell, Inc. in the United States and other countries. DirXML is a registered trademark of Novell, Inc. eDirectory is a trademark of Novell, Inc. Excelerator is a trademark of Novell, Inc. exteNd is a trademark of Novell, Inc. exteNd Director is a trademark of Novell, Inc. exteNd Workbench is a trademark of Novell, Inc. FAN-OUT FAILOVER is a trademark of Novell, Inc. GroupWise is a registered trademark of Novell, Inc. in the United States and other countries. Hardware Specific Module is a trademark of Novell, Inc. Hot Fix is a trademark of Novell, Inc. iChain is a registered trademark of Novell, Inc. Internetwork Packet Exchange is a trademark of Novell, Inc. IPX is a trademark of Novell, Inc. IPX/SPX is a trademark of Novell, Inc. jBroker is a trademark of Novell, Inc. Link Support Layer is a trademark of Novell, Inc. LSL is a trademark of Novell, Inc. ManageWise is a registered trademark of Novell, Inc., in the United States and other countries. Mirrored Server Link is a trademark of Novell, Inc. Mono is a registered trademark of Novell, Inc. MSL is a trademark of Novell, Inc. My World is a registered trademark of Novell, Inc. in the United States. NCP is a trademark of Novell, Inc. NDPS is a registered trademark of Novell, Inc. NDS is a registered trademark of Novell, Inc. in the United States and other countries. NDS Manager is a trademark of Novell, Inc. NE2000 is a trademark of Novell, Inc. NetMail is a registered trademark of Novell, Inc. NetWare is a registered trademark of Novell, Inc. in the United States and other countries. NetWare/IP is a trademark of Novell, Inc. NetWare Core Protocol is a trademark of Novell, Inc. NetWare Loadable Module is a trademark of Novell, Inc. NetWare Management Portal is a trademark of Novell, Inc. NetWare Name Service is a trademark of Novell, Inc. NetWare Peripheral Architecture is a trademark of Novell, Inc. NetWare Requester is a trademark of Novell, Inc. NetWare SFT and NetWare SFT III are trademarks of Novell, Inc. NetWare SQL is a trademark of Novell, Inc. NetWire is a registered service mark of Novell, Inc. in the United States and other countries. NLM is a trademark of Novell, Inc. NMAS is a trademark of Novell, Inc. NMS is a trademark of Novell, Inc. Novell is a registered trademark of Novell, Inc. in the United States and other countries. Novell Application Launcher is a trademark of Novell, Inc. Novell Authorized Service Center is a service mark of Novell, Inc. Novell Certificate Server is a trademark of Novell, Inc. Novell Client is a trademark of Novell, Inc. Novell Cluster Services is a trademark of Novell, Inc. Novell Directory Services is a registered trademark of Novell, Inc. Novell Distributed Print Services is a trademark of Novell, Inc. Novell iFolder is a registered trademark of Novell, Inc. Novell Labs is a trademark of Novell, Inc. Novell SecretStore is a registered trademark of Novell, Inc. Novell Security Attributes is a trademark of Novell, Inc. Novell Storage Services is a trademark of Novell, Inc. Novell, Yes, Tested & Approved logo is a trademark of Novell, Inc. Nsure is a registered trademark of Novell, Inc. Nterprise is a trademark of Novell, Inc. Nterprise Branch Office is a trademark of Novell, Inc. ODI is a trademark of Novell, Inc. Open Data-Link Interface is a trademark of Novell, Inc. Packet Burst is a trademark of Novell, Inc. PartnerNet is a registered service mark of Novell, Inc. in the United States and other countries. Printer Agent is a trademark of Novell, Inc. QuickFinder is a trademark of Novell, Inc. Red Box is a trademark of Novell, Inc. Red Carpet is a registered trademark of Novell, Inc. in the United States and other countries. Sequenced Packet Exchange is a trademark of Novell, Inc. SFT and SFT III are trademarks of Novell, Inc. SPX is a trademark of Novell, Inc. Storage Management Services is a trademark of Novell, Inc. SUSE is a registered trademark of SUSE AG, a Novell business. System V is a trademark of Novell, Inc. Topology Specific Module is a trademark of Novell, Inc. Transaction Tracking System is a trademark of Novell, Inc. TSM is a trademark of Novell, Inc. TTS is a trademark of Novell, Inc. Universal Component System is a registered trademark of Novell, Inc. Virtual Loadable Module is a trademark of Novell, Inc. VLM is a trademark of Novell, Inc. Yes Certified is a trademark of Novell, Inc. ZENworks is a registered trademark of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.