Forge Home


Manages configuration for Central Authentication Service (CAS)


9,359 latest version

1.5 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.0 (latest)
released Dec 14th 2014

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'dmcnicks-cas', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add dmcnicks-cas
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install dmcnicks-cas --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



dmcnicks/cas — version 0.1.0 Dec 14th 2014


Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with dmcnicks-cas
  4. Usage - Configuration options and additional functionality
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module


Puppet module that manages configuration for Central Authentication Service (CAS).

Module Description

CAS is a single sign-on protocol for the web that supports multiple backends for authentication and authorisation. This puppet module manages CAS configuration files that support an LDAP backend.

CAS is deployed as a war file that is built using a separate Maven overlay build process. The cas::server class expects to be told the location of a pre-built war file to deploy. If you are unfamiliar with Maven overlays or CAS you can use the cas::war class to create a Maven project that is configured to support connecting to an LDAP backend.

Do not use the cas::war class to build war files in a production context. Maven can take a long time to download dependancies that can lead to a puppet timeout and an inconsistent node. For production use, create a separate Maven project under its own version control and distribute a pre-built war file to nodes using a separate mechanism.


What dmcnicks-cas affects

  • Copies a given war file into a given web application container for deployment.
  • Creates configuration files in /etc/cas.
  • Creates CAS log files in /var/log/cas.

Beginning with dmcnicks-cas

To create a Maven project and build the war, create a temporary build.pp on the node you are working with, containing:

class build () {
    class { "cas::war":
        maven_dir => "/srv/cas-maven",
        build => true

Then call the manifest using puppet apply:

$ puppet apply build.pp

Maven will take some time to download all of the required dependancies. Eventually it will create a customised war file located in /srv/cas-maven/target/cas.war.

Next, you will need to configure Apache and a web application container such as Tomcat on the node using your puppet infrastructure. As an example, the following manifest will use puppetlabs-apache, camptocamp-openssl and camptocamp-tomcat to configure Apache and Tomcat:

class { "tomcat":
    version => "7"
} ->

tomcat::instance { "cas":
    ensure => present,
    server_port => "8006",
    http_port => "8081",
    ajp_port => "8010"

include apache
include apache::mod::ssl
include apache::mod::proxy
include apache::mod::proxy_ajp

openssl::certificate::x509 { $::fqdn:
    ensure => present,
    country => "UK",
    organization => "My Organization",
    commonname => $::fqdn,
    days => "3650",
    force => false,
    cnf_tpl => "openssl/cert.cnf.erb",
    base_dir => "/etc/ssl/certs"
} ->

apache::vhost { $::fqdn:
    port => "443",
    ssl => true,
    ssl_key => "/etc/ssl/certs/${::fqdn}.key",
    ssl_cert => "/etc/ssl/certs/${::fqdn}.crt",
    docroot => "/var/www",
    proxy_pass => [
        { path => "/cas", url => "ajp://localhost:8010/cas" }

Finally, declare the cas::server class:

class { "cas::server":
    war => "/srv/cas-maven/target/cas.war",
    deploy_to => "$tomcat::instance_basedir/cas/webapps/cas.war",
    ldap_url => "ldaps://your.ldap.server",
    ldap_trustedcert => "/path/to/your.ldap.crt",
    ldap_basedn => "dc=your,dc=base,dc=dn",
    ldap_managerdn => "cn=youradmin,dc=your,dc=base,dc=dn",
    ldap_managerpassword => "youradminpassword",
    ldap_searchfilter => "(uid={user})",
    require => Tomcat::Instance["cas"]


Class cas::server

Manages CAS configuration files on the node and is responsible for deploying the CAS war file.



(Required) The group that the web application container (e.g. Tomcat) runs as. This is used to set group permissions on the configuration files and log directory, to ensure that they are accessible by the container.


(Required) The location of the pre-build CAS war file. This will be copied into the deploy_to location.


(Required) The final location of the war file. This should be a file name rather than a directory and, in order for CAS to work, the file itself should usually be cas.war.


(Required) The URL of the LDAP server.


(Required) The base DN of the LDAP server.


(Required) The DN of the manager account used to bind to the LDAP server.


(Required) The password of the manager account used to bind to the LDAP server.


(Required) Search filter used to locate user objects in LDAP. CAS populates the variable {user} with the name of the currently authenticating user so this search filter should look something like (uid={user}).


(Optional) The name of the virtual host that CAS is running on. This is mainly required for when CAS is running behind a load balancer. Defaults to the node FQDN.


(Optional) If the LDAP server is using LDAPS, provide a CA certificate chain or the LDAP server certificate (if self-signed) to enable secure communication.


(Optional) Set to true if your LDAP server uses STARTTLS. Defaults to false.


(Optional) Set to true to enable debug logging. Defaults to false.

Class cas::war

Creates a maven project for CAS that supports an LDAP backend and optionally builds the war file.



(Required) The base directory for the Maven project.


(Optional) Set to true to build the war once the Maven project has been created. Defaults to false.



Once the war file is built, calling classes can refer to this variable to find the location of the build war file.


CAS is a complex piece of software. I wrote this module to try to simplify getting a working CAS server connected to an LDAP backend, but the reality is that a lot can go wrong.


I am happy to receive pull requests.