luca at wetron
Apr 7, 2006, 2:07 AM
Post #19 of 20
(6712 views)
Permalink
|
En/na Fernando Martins ha escrit:
> David H wrote:
>> Robert,
>>
>> You can python + COM your way to a browser startup zope/plone login
>> screen. I cannot see how you automate the authentication of a given
>> browser instance that is then handed to your users.
>>
>
> Hmm, that's not automation in this sense. The user logins into the
> workstation (Windows, don't know about unix), the user opens the browser and
> accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will
> then send authentication information to the Intranet server using the NTLM
> protocol. The web server (Apache with NTLM module) checks with some internal
> Domain server and sets the environmental variable REMOTE_USER. This is then
> sent to a CGI or FastCGI app (zope with FastCGI).
>
>> Maybe someone will correct this. If so everyone's happy.
>
> Yes, local Intranet users love this, one less login, automatic recognition,
> personalisation, instant gratification,... ;-)
It seems it is possible but a little convoluted.
WARNING this has only had very limited testing and it's *not* in
production (and I'm not sure it will ever be).
The first hurdle is that with the proxying configuration (RewriteRule
with the P flag) ntlm_mod sends "Proxy-Authenticate" instead of
"WWW-Authenticate" and it didn't work, so the first thing I needed to do
was to modify ntlm_mod.c to always request "WWW-Authenticate" (easy to
do, just find any instance of "r->proxyreq" and change it to
"r->proxyreq && 0". I didn't see this reported anywhere, so it could
just be my local setup with apache 2.
Then in Apache I used the RequestHeader directive to add the remote user
to the request *and* the E option in the RewriteRule to put the remote
user in the environment (so that RequestHeader works),
i.e. (zope is served here under the test directory "t"):
<Location /t/>
AuthName "A Protected Place"
AuthType NTLM
NTLMAuth On
NTLMAuthoritative on
NTLMDomain YOURDOMAIN
NTLMServer yourhost
NTLMBasicAuth on
NTLMBasicRealm YOURREALM
require valid-user
RequestHeader set REMOTE_USER %{REMOTE_USER}e
</Location>
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} !443$
RewriteRule ^/t/(.*)
http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}:443/VirtualHostRoot/_vh_t/$1
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} 443$
RewriteRule ^/t/(.*)
http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/_vh_t/$1
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/t/(.*)
http://localhost:10080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/_vh_t/$1
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
(note that this contortion with ssl may be due, again, to my setup. Note
also that I didn't manage to make ntlm+ssl work with internet explorer,
it works fine with firefox).
At this point zope should see an additional header REMOTE_USER (with the
consequent security risk: you should make sure that nobody can directly
access zope otherwise they can fake this header and pose as any user)
which is available in request.environ as HTTP_REMOTE_USER.
Then it's just a matter of using PAS with the SharkbyteSSOPlugin
(http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured
to use HTTP_REMOTE_USER.
I'd suggest to change
userid = request.get(self.uservar)
to
userid = request.environ.get(self.uservar)
for a little more security - not that this setup seems really secure to
me anyway, but I'm not a security expert ;-)
Bye
--
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004 Fax +34 93 5883007
_______________________________________________
Zope maillist - Zope[at]zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
|
robert.vcf
