FWIW, I've used the single sign on pattern in this use case to avoid
the need for proxying. Using mod_auth_tkt like authentication on the
Linux server logins are sent to an IIS server on the LAN which then
redirects back to the Linux server with an authentication token. The
Python ASP script I use for this is included in
http://pypi.python.org/pypi/plone.session

Laurence

On 20 September 2010 18:17, Chris Withers <ch...@simplistix.co.uk> wrote:
> Hi All,
>
> I was wondering if one of these existed already so thought I'd ask here
> before I wrote one...
>
> So, we have a front end server running Apache, on Windows, doing NTLM
> auth (yay! go suckiness!). It proxies requests through to one of our
> back end servers, setting a header in the process:
>
> <Proxy *>
>    Order deny,allow
>    Allow from all
>    RewriteEngine On
>    RewriteCond %{LA-U:REMOTE_USER} (.+)
>    RewriteRule . - [E=RU:%1]
>    RequestHeader set X-Forwarded-User %{RU}e
> </Proxy>
>
> So, I need to turn the 'X-Forwarded-User' request header into the BFG
> user id. Anyone done an authentication policy that does this yet?
>
> cheers,
>
> Chris
>
> PS: Yes, this would be insecure, were the backend servers not all
> firewalled off to only accept requests from the front end ;-)
> _______________________________________________
> Repoze-dev mailing list
> Repoze-dev@lists.repoze.org
> http://lists.repoze.org/listinfo/repoze-dev
>
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to