Files
CASA/doc

Common Authentication Service Adapter (CASA)





1.0  Overview



2.0  Documentation



3.0  Known Issues



4.0  Legal Notices





1.0  Overview



     Common Authentication Service Adapter (CASA) provides

     a common infrastructure for client authentication

     across the Linux* and Microsoft* Windows* desktops.

     Novell products (such as GroupWise, GroupWise

     Messenger, iPrint, Novell iFolder, and the Novell

     clients for Windows and Linux) are integrated with the

     miCASA interface and can take advantage of the

     credential store that provides the cornerstone for

     CASA.



     The main components of CASA on Linux are:



     -  CASA Identity Development Kit (IDK): The IDK

        provides a set of APIs that application and service

        developers can use to write user/application

        credentials to the credential store. The IDK APIs

        internally store the credentials passed onto them

        by the applications in miCASAd. There are C, C++,

        C# and Java bindings available for the CASA IDK.



     -  miCASAd: An active component that starts during

        boot time. On Linux, miCASAd is available in the

        run-levels 1, 2, 3 and 5. It runs with root

        privileges and is active as long as the system is

        up. It stores and provides credentials or secrets

        based on the Linux user identifier (uid) of the

        process that makes the IDK API calls. The

        credentials, which are stored by applications in

        miCASAd, are maintained in memory and written to 

	disk for this release. Session-based secrets implies

        secrets that are stored in an in-memory cache, are

        available only as long as the user is in session on

        the desktop, and are destroyed when miCASA daemon

        is restarted or the user logs off. When the user

        logs back in, the secrets written to disk are read

        back into memory.

      

     -  Login Credential Capture Module: On Linux, the

        login credential capture module is implemented as a

        PAM module. This PAM module captures the user's

        desktop login credentials and stores them in

        miCASAd using the IDK APIs. This PAM module is

        placed as the last module in the auth and session

        stacks of xdm, gdm, kdm, login and sshd PAM

        configuration files. The functionality of this 

	module is to store the credentials in miCASAd. 



        Any PAM module that uses the IDK APIs must set its

        effective user id temporarily to that of the user

        logging in (the user returned by calling

        pam_get_user()), if the credentials need to be

        stored against that user. There might be cases

        where the user obtained through pam_get_user()

        might not be the one against whom the PAM module

        actually intends to store credentials.





2.0  Documentation



     To read or print the documentation, you need Adobe

     Acrobat Reader 4.0

     (http://www.adobe.com/prodindex/acrobat/readstep.html)

     . 



     The document in this download was created as a

     standalone file; therefore, links to files in other

     downloads will not resolve.



     The download includes a single file: 

     CASA_Reference_Guide.pdf in the [install directory]\doc 

     directory.





3.0  Known issues

     

     - Secrets with IDs using reserved characters may fail.

       These will be fixed in a future release. Reserved 

       characters are 

	:

	\



     - CASA Manager might report an error stating that 

       miCASA Services are not available when selecting

       the 'File' option on the main menu. This problem

       is resolved by upgrading mono to the latest version

       (1.1.9 or later) available for download at 

       http://www.mono-project.com/Downloads.



     - CASA install rpm that is intended for 32 bit architecture

       should not be installed on 64 bit architecture because

       it can cause runtime problems.



     - Since CASA is tied to the Linux login process via PAM,

       events that cause the system to become inconsistent or 

       unstable may cause a user to be unable to login to the

       workstation.  Some possible causes of inconsistency or

       instability are:

        

         - Installing 32 bit CASA RPMs on a 64 bit OS

	 - Performing a hard reset on the machine

	

       Following the steps below will restore the ability to 

       login.

         

	 1) Reboot machine

	 2) When boot loader menu appears, type "init=/bin/bash"

	    (without quotes) on the options line and then Enter.

	    This will cause the machine to boot into a command 

	    shell with root privileges.

	 3) At the command prompt type "chkconfig micasad off"

	    (without quotes).  This will prevent the CASA daemon

	    from being loaded during bootup.

	 4) With a console based text editor (i.e. vi, emacs) 

	    remove all lines referencing the pam_micasa module in

	    the following pam configuration files (some files may 

	    not exist depending on what desktop managers have 

	    been installed:

	    

	    - /etc/pam.d/gdm

	    - /etc/pam.d/xdm

	    - /etc/pam.d/kdm

	    - /etc/pam.d/sshd

	    - /etc/pam.d/login

	         

	 5) At the command prompt type "init 5" (without quotes)

	    to boot into runlevel 5.  This will provide you with a

	    graphical login prompt.  You should be able to login

	    at this point.

	    

       After you have restored login capabilities, you will need

       to resolve the inconsistency that prevented login in the

       first place.  If you had installed a 32 bit CASA package

       on a 64 bit OS, you will need to uninstall the 32 bit

       package and install a CASA package built for 64 bit

       architectures.  If you are recovering from a hard reset

       no further action should be needed.

       

       To make it so CASA will run at boot time, open a shell and

       at the prompt type "chkconfig micasad 1235" (without 

       quotes).  This will cause micasad to be run at runlevels

       1, 2, 3, and 5.



     - When logged in to a KDE session, the gnome-keyring-daemon

       does not run by default.  Therefore, all apps that access

       the daemon, including our CASAManager will not be able to

       manage/access the gnome-keyring.

         

       You can manually start the daemon by running the following

       command from a shell prompt:

       

       gnome-keyring-daemon 

       

       When the gnome-keyring-daemon starts, it prints the

       GNOME_KEYRING_SOCKET environment variable and its value to

       the terminal. In Gnome, the daemon is started and the 

       environment variable is loaded into your X session 

       environment by default, but in KDE, you will

       have to manually load it.

        

       To load this environment variable, run a command similar to

       the following command from a shell prompt (replacing the 

       value of the environment variable with what the daemon

       output to the screen when you started it):

       

       export GNOME_KEYRING_SOCKET=/tmp/keyring-oaTsPs/socket

       

       Then you can run CASAManager GUI (from the same terminal

       you exported the variable from) and you will be able to

       manage and use the gnome-keyring in KDE just like you

       could if you were logged into Gnome.

       

4.0  Legal Notices



     Novell, Inc. makes no representations or warranties

     with respect to the contents or use of this

     documentation, and specifically disclaims any express

     or implied warranties of merchantability or fitness

     for any particular purpose. Further, Novell, Inc.

     reserves the right to revise this publication and to

     make changes to its content, at any time, without

     obligation to notify any person or entity of such

     revisions or changes.



     Further, Novell, Inc. makes no representations or

     warranties with respect to any software, and

     specifically disclaims any express or implied

     warranties of merchantability or fitness for any

     particular purpose. Further, Novell, Inc. reserves the

     right to make changes to any and all parts of Novell

     software, at any time, without any obligation to

     notify any person or entity of such changes.





     You may not use, export, or re-export this product in

     violation of any applicable laws or regulations

     including, without limitation, U.S. export regulations

     or the laws of the country in which you reside.





     Copyright  2005 Novell, Inc. All rights reserved.

     Permission is granted to copy, distribute, and/or

     modify this document under the terms of the GNU Free

     Documentation License (GFDL), Version 1.2 or any later

     version, published by the Free Software Foundation

     with no Invariant Sections, no Front-Cover Texts, and

     no Back-Cover Texts. A copy of the GFDL can be found

     at http://www.fsf.org/licenses/fdl.html.



     THIS DOCUMENT AND MODIFIED VERSIONS OF THIS DOCUMENT

     ARE PROVIDED UNDER THE TERMS OF THE GNU FREE

     DOCUMENTATION LICENSE WITH THE FURTHER UNDERSTANDING

     THAT:



     1. THE DOCUMENT IS PROVIDED ON AN "AS IS" BASIS,

     WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR

     IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES

     THAT THE DOCUMENT OR MODIFIED VERSION OF THE DOCUMENT

     IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR

     PURPOSE, OR NON-INFRINGING. THE ENTIRE RISK AS TO THE

     QUALITY, ACCURACY, AND PERFORMANCE OF THE DOCUMENT OR

     MODIFIED VERSION OF THE DOCUMENT IS WITH YOU. SHOULD

     ANY DOCUMENT OR MODIFIED VERSION PROVE DEFECTIVE IN

     ANY RESPECT, YOU (NOT THE INITIAL WRITER, AUTHOR OR

     ANY CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY

     SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF

     WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS

     LICENSE. NO USE OF ANY DOCUMENT OR MODIFIED VERSION OF

     THE DOCUMENT IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS

     DISCLAIMER; AND



     2. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,

     WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR

     OTHERWISE, SHALL THE AUTHOR, INITIAL WRITER, ANY

     CONTRIBUTOR, OR ANY DISTRIBUTOR OF THE DOCUMENT OR

     MODIFIED VERSION OF THE DOCUMENT, OR ANY SUPPLIER OF

     ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY

     DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR

     CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING,

     WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK

     STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND

     ALL OTHER DAMAGES OR LOSSES ARISING OUT OF OR RELATING

     TO USE OF THE DOCUMENT AND MODIFIED VERSIONS OF THE

     DOCUMENT, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED

     OF THE POSSIBILITY OF SUCH DAMAGES.





     Novell, Inc. has intellectual property rights relating

     to technology embodied in the product that is

     described in this document. In particular, and without

     limitation, these intellectual property rights may

     include one or more of the U.S. patents listed at

     http://www.novell.com/company/legal/patents/ and one

     or more additional patents or pending patent

     applications in the U.S. and in other countries.





     AppNotes is a registered trademark of Novell, Inc.



     AppTester is a registered trademark of Novell, Inc. in

     the United States.



     ASM is a trademark of Novell, Inc.



     BorderManager is a registered trademark of Novell,

     Inc.



     BrainShare is a registered service mark of Novell,

     Inc. in the United States and other countries.



     C3PO is a trademark of Novell, Inc.



     Certified Novell Engineer is a service mark of Novell,

     Inc.



     Client32 is a trademark of Novell, Inc.



     CNE is a registered service mark of Novell, Inc.



     ConsoleOne is a registered trademark of Novell, Inc.



     Controlled Access Printer is a trademark of Novell,

     Inc.



     Custom 3rd-Party Object is a trademark of Novell, Inc.



     DeveloperNet is a registered trademark of Novell, Inc.

     in the United States and other countries.



     DirXML is a registered trademark of Novell, Inc.



     eDirectory is a trademark of Novell, Inc.



     Excelerator is a trademark of Novell, Inc.



     exteNd is a trademark of Novell, Inc.



     exteNd Director is a trademark of Novell, Inc.



     exteNd Workbench is a trademark of Novell, Inc.



     FAN-OUT FAILOVER is a trademark of Novell, Inc.



     GroupWise is a registered trademark of Novell, Inc. in

     the United States and other countries.



     Hardware Specific Module is a trademark of Novell,

     Inc.



     Hot Fix is a trademark of Novell, Inc.



     iChain is a registered trademark of Novell, Inc.



     Internetwork Packet Exchange is a trademark of Novell,

     Inc.



     IPX is a trademark of Novell, Inc.



     IPX/SPX is a trademark of Novell, Inc.



     jBroker is a trademark of Novell, Inc.



     Link Support Layer is a trademark of Novell, Inc.



     LSL is a trademark of Novell, Inc.



     ManageWise is a registered trademark of Novell, Inc.,

     in the United States and other countries.



     Mirrored Server Link is a trademark of Novell, Inc.



     Mono is a registered trademark of Novell, Inc.



     MSL is a trademark of Novell, Inc.



     My World is a registered trademark of Novell, Inc. in

     the United States.



     NCP is a trademark of Novell, Inc.



     NDPS is a registered trademark of Novell, Inc.



     NDS is a registered trademark of Novell, Inc. in the

     United States and other countries.



     NDS Manager is a trademark of Novell, Inc.



     NE2000 is a trademark of Novell, Inc.



     NetMail is a registered trademark of Novell, Inc.



     NetWare is a registered trademark of Novell, Inc. in

     the United States and other countries.



     NetWare/IP is a trademark of Novell, Inc.



     NetWare Core Protocol is a trademark of Novell, Inc.



     NetWare Loadable Module is a trademark of Novell, Inc.



     NetWare Management Portal is a trademark of Novell,

     Inc.



     NetWare Name Service is a trademark of Novell, Inc.



     NetWare Peripheral Architecture is a trademark of

     Novell, Inc.



     NetWare Requester is a trademark of Novell, Inc.



     NetWare SFT and NetWare SFT III are trademarks of

     Novell, Inc.



     NetWare SQL is a trademark of Novell, Inc.



     NetWire is a registered service mark of Novell, Inc.

     in the United States and other countries.



     NLM is a trademark of Novell, Inc.



     NMAS is a trademark of Novell, Inc.



     NMS is a trademark of Novell, Inc.



     Novell is a registered trademark of Novell, Inc. in

     the United States and other countries.



     Novell Application Launcher is a trademark of Novell,

     Inc.



     Novell Authorized Service Center is a service mark of

     Novell, Inc.



     Novell Certificate Server is a trademark of Novell,

     Inc.



     Novell Client is a trademark of Novell, Inc.



     Novell Cluster Services is a trademark of Novell, Inc.



     Novell Directory Services is a registered trademark of

     Novell, Inc.



     Novell Distributed Print Services is a trademark of

     Novell, Inc.



     Novell iFolder is a registered trademark of Novell,

     Inc.



     Novell Labs is a trademark of Novell, Inc.



     Novell SecretStore is a registered trademark of

     Novell, Inc.



     Novell Security Attributes is a trademark of Novell,

     Inc.



     Novell Storage Services is a trademark of Novell, Inc.



     Novell, Yes, Tested & Approved logo is a trademark of

     Novell, Inc.



     Nsure is a registered trademark of Novell, Inc.



     Nterprise is a trademark of Novell, Inc.



     Nterprise Branch Office is a trademark of Novell, Inc.



     ODI is a trademark of Novell, Inc.



     Open Data-Link Interface is a trademark of Novell,

     Inc.



     Packet Burst is a trademark of Novell, Inc.



     PartnerNet is a registered service mark of Novell,

     Inc. in the United States and other countries.



     Printer Agent is a trademark of Novell, Inc.



     QuickFinder is a trademark of Novell, Inc.



     Red Box is a trademark of Novell, Inc.



     Red Carpet is a registered trademark of Novell, Inc.

     in the United States and other countries.



     Sequenced Packet Exchange is a trademark of Novell,

     Inc.



     SFT and SFT III are trademarks of Novell, Inc.



     SPX is a trademark of Novell, Inc.



     Storage Management Services is a trademark of Novell,

     Inc.



     SUSE is a registered trademark of SUSE AG, a Novell

     business.



     System V is a trademark of Novell, Inc.



     Topology Specific Module is a trademark of Novell,

     Inc.



     Transaction Tracking System is a trademark of Novell,

     Inc.



     TSM is a trademark of Novell, Inc.



     TTS is a trademark of Novell, Inc.



     Universal Component System is a registered trademark

     of Novell, Inc.



     Virtual Loadable Module is a trademark of Novell, Inc.



     VLM is a trademark of Novell, Inc.



     Yes Certified is a trademark of Novell, Inc.



     ZENworks is a registered trademark of Novell, Inc. in

     the United States and other countries.





     All third-party trademarks are the property of their

     respective owners.