Re: [Zope] single sign-on

2007-02-04 Thread Bryan Simmons

1.  What do you mean by doesn't work?
2.  Is there any log output either from your apache
error_log/access_log or zope event.log?

On 1/29/07, John Fugazi [EMAIL PROTECTED] wrote:

I have installed Plone with openSUSE 10.2 (working).  I have also installed
LDAPUserFolder and LDAPMultiPlugins (working).  The default installation of
Plone is located in /var/opt/zope/default.  I have loaded mod_proxy,
mod_proxy_http, mod_rewrite and mod_headers.  I have also compiled and load
mod_ntlml.  I tested mod_ntlm on just an ordinary directory that contained
an index.html and it worked fine.  Mod_ntlm asked for username and
password, which authenticated.  I set internet explorer to automatic logon
with current username and password and i was able to get to the web page
without typing a username and password.



This is my conf, but this does not work.

VirtualHost 192.168.200.20:80

ServerName openSUSE

ServerSignature On
RewriteEngine On

Location /var/opt/zope/default
AuthName Active Directory Domain
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain domain
NTLMServer ads

require valid-user

RequestHeader set REMOTE_USER %{REMOTE_USER}e

/ Location

RewriteRule ^/(.*) \
http://localhost:8080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/hechtburdeshaw/$1
\
[L,P,E= REMOTE_USER:%{LA-U:REMOTE_USER}]

/VirtualHost

Any suggestions

_
From predictions to trailers, check out the MSN Entertainment Guide to the
Academy Awards(r)
http://movies.msn.com/movies/oscars2007/?icid=ncoscartagline1

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )




--
Regards,

Bryan Simmons

 All parts should go together without forcing. You must remember
that the parts you are reassembling were disassembled by you.
Therefore, if you can't get them together again, there must be a
reason. By all means, do not use a hammer.
 -- IBM maintenance manual, 1925
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2007-02-01 Thread Dieter Maurer
John Fugazi wrote at 2007-1-29 14:33 -0500:
I have installed Plone with openSUSE 10.2 (working).  I have also installed 
LDAPUserFolder and LDAPMultiPlugins (working).  The default installation of 
Plone is located in /var/opt/zope/default.  I have loaded mod_proxy, 
mod_proxy_http, mod_rewrite and mod_headers.  I have also compiled and load 
mod_ntlml.  I tested mod_ntlm on just an ordinary directory that contained 
an index.html and it worked fine.  Mod_ntlm asked for username and 
password, which authenticated.  I set internet explorer to automatic logon 
with current username and password and i was able to get to the web page 
without typing a username and password.



This is my conf, but this does not work.

VirtualHost 192.168.200.20:80

ServerName openSUSE

ServerSignature On
RewriteEngine On

Location /var/opt/zope/default

This looks very strange. Why your Apache be interested in any way
where your Zope has been installed?

AuthName Active Directory Domain
AuthType NTLM



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


[Zope] single sign-on

2007-01-29 Thread John Fugazi
I have installed Plone with openSUSE 10.2 (working).  I have also installed 
LDAPUserFolder and LDAPMultiPlugins (working).  The default installation of 
Plone is located in /var/opt/zope/default.  I have loaded mod_proxy, 
mod_proxy_http, mod_rewrite and mod_headers.  I have also compiled and load 
mod_ntlml.  I tested mod_ntlm on just an ordinary directory that contained 
an index.html and it worked fine.  Mod_ntlm asked for username and 
password, which authenticated.  I set internet explorer to automatic logon 
with current username and password and i was able to get to the web page 
without typing a username and password.




This is my conf, but this does not work.

VirtualHost 192.168.200.20:80

   ServerName openSUSE

   ServerSignature On
   RewriteEngine On

   Location /var/opt/zope/default
   AuthName Active Directory Domain
   AuthType NTLM
   NTLMAuth on
   NTLMAuthoritative on
   NTLMDomain domain
   NTLMServer ads

   require valid-user

   RequestHeader set REMOTE_USER %{REMOTE_USER}e

/ Location

   RewriteRule ^/(.*) \
http://localhost:8080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/hechtburdeshaw/$1 
\

[L,P,E= REMOTE_USER:%{LA-U:REMOTE_USER}]

/VirtualHost

Any suggestions

_
From predictions to trailers, check out the MSN Entertainment Guide to the 
Academy Awards® 
http://movies.msn.com/movies/oscars2007/?icid=ncoscartagline1


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-04-07 Thread Luca Olivetti

En/na Fernando Martins ha escrit:

David H wrote:

Robert,

You can python + COM your way to a browser startup zope/plone login
screen.  I cannot see how you automate the authentication of a given
browser instance that is then handed to your users.



Hmm, that's not automation in this sense. The user logins into the
workstation (Windows, don't know about unix), the user opens the browser and
accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will
then send authentication information to the Intranet server using the NTLM
protocol. The web server (Apache with NTLM module) checks with some internal
Domain server and sets the environmental variable REMOTE_USER. This is then
sent to a CGI or FastCGI app (zope with FastCGI).


Maybe someone will correct this.  If so everyone's happy.


Yes, local Intranet users love this, one less login, automatic recognition,
personalisation, instant gratification,... ;-)


It seems it is possible but a little convoluted.
WARNING this has only had very limited testing and it's *not* in 
production (and I'm not sure it will ever be).


The first hurdle is that with the proxying configuration (RewriteRule 
with the P flag) ntlm_mod sends Proxy-Authenticate instead of 
WWW-Authenticate and it didn't work, so the first thing I needed to do 
was to modify ntlm_mod.c to always request WWW-Authenticate (easy to 
do, just find any instance of r-proxyreq and change it to 
r-proxyreq  0. I didn't see this reported anywhere, so it could 
just be my local setup with apache 2.


Then in Apache I used the RequestHeader directive to add the remote user 
to the request *and* the E option in the RewriteRule to put the remote 
user in the environment (so that RequestHeader works),

i.e. (zope is served here under the test directory t):


Location /t/
AuthName A Protected Place
AuthType NTLM
NTLMAuth On
NTLMAuthoritative on
NTLMDomain YOURDOMAIN
NTLMServer yourhost
NTLMBasicAuth on
NTLMBasicRealm YOURREALM
require valid-user

RequestHeader set REMOTE_USER %{REMOTE_USER}e
/Location

RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} !443$
RewriteRule ^/t/(.*) 
http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}:443/VirtualHostRoot/_vh_t/$1 
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]

RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} 443$
RewriteRule ^/t/(.*) 
http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/_vh_t/$1 
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/t/(.*) 
http://localhost:10080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/_vh_t/$1 
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]



(note that this contortion with ssl may be due, again, to my setup. Note 
also that I didn't manage to make ntlm+ssl work with internet explorer, 
it works fine with firefox).


At this point zope should see an additional header REMOTE_USER (with the 
consequent security risk: you should make sure that nobody can directly 
access zope otherwise they can fake this header and pose as any user) 
which is available in request.environ as HTTP_REMOTE_USER.


Then it's just a matter of using PAS with the SharkbyteSSOPlugin 
(http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured 
to use HTTP_REMOTE_USER.


I'd suggest to change

   userid = request.get(self.uservar)

to

   userid = request.environ.get(self.uservar)

for a little more security - not that this setup seems really secure to 
me anyway, but I'm not a security expert ;-)


Bye
--
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004  Fax +34 93 5883007
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-04-07 Thread Luca Olivetti

En/na Luca Olivetti ha escrit:

At this point zope should see an additional header REMOTE_USER (with the 
consequent security risk: you should make sure that nobody can directly 
access zope otherwise they can fake this header and pose as any user) 
which is available in request.environ as HTTP_REMOTE_USER.


Then it's just a matter of using PAS with the SharkbyteSSOPlugin 
(http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured 
to use HTTP_REMOTE_USER.


I'd suggest to change

   userid = request.get(self.uservar)

to

   userid = request.environ.get(self.uservar)

for a little more security - not that this setup seems really secure to 
me anyway, but I'm not a security expert ;-)


Ok, useless suggestion, since Zope request does the right thing:
1)it will search in the environment before searching in the form and
2)it'll strip any form variable that starts with 'HTTP_'

Bye

--
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004  Fax +34 93 5883007
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-04-03 Thread Chris Withers

Stefan H. Holek wrote:
You may want to contact Netsight(.co.uk), they have a working NTLM auth 
system for Zope/Plone. It's not gratis though, AFAIK. It's also possible 
to use ActiveDirectory for both Windows and Zope (via LDAPUserFolder).


*mumble* *mumble* It works about 95% of the time. NTLM is the devils own 
faeces, avoid like the plague unless you're gonna get IIS to do the 
actual authentication...


Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope] single sign-on

2006-04-03 Thread Fernando Martins
David H wrote:
 Robert,

 You can python + COM your way to a browser startup zope/plone login
 screen.  I cannot see how you automate the authentication of a given
 browser instance that is then handed to your users.


Hmm, that's not automation in this sense. The user logins into the
workstation (Windows, don't know about unix), the user opens the browser and
accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will
then send authentication information to the Intranet server using the NTLM
protocol. The web server (Apache with NTLM module) checks with some internal
Domain server and sets the environmental variable REMOTE_USER. This is then
sent to a CGI or FastCGI app (zope with FastCGI).

 Maybe someone will correct this.  If so everyone's happy.

Yes, local Intranet users love this, one less login, automatic recognition,
personalisation, instant gratification,... ;-)

Cheers,
Fernando

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-04-02 Thread robert rottermann

Fernando Martins wrote:

Hi,

I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is
deprecated, is there any alternative?

TIA,
Fernando Martins

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce

 http://mail.zope.org/mailman/listinfo/zope-dev )

  

Fernando,
during the next 4 weeks we will be prototyping a site.
One of the request we have to meet is SSO using
Active Directory to manage the users. One of the request
we *should* meet (I declined to commit ourselfs for this feature)
is that a user when logged into Windows she is automaticaly logged into
Plone. The server is running on a Linux box (SuSE 9.3 or later)
No idea yet whether this is possible yet, and I have read all related 
info with interest.

If you like we can try to join forces.

Robert
begin:vcard
fn:robert  rottermann
n:rottermann;robert 
email;internet:[EMAIL PROTECTED]
tel;work:031 333 10 20
tel;fax:031 333 10 23
tel;home:031 333 36 03
x-mozilla-html:FALSE
version:2.1
end:vcard

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-04-02 Thread David H

robert rottermann wrote:


Fernando Martins wrote:


Hi,

I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the 
last is

deprecated, is there any alternative?

TIA,
Fernando Martins

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -  http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

  


Fernando,
during the next 4 weeks we will be prototyping a site.
One of the request we have to meet is SSO using
Active Directory to manage the users. One of the request
we *should* meet (I declined to commit ourselfs for this feature)
is that a user when logged into Windows she is automaticaly logged into
Plone. The server is running on a Linux box (SuSE 9.3 or later)
No idea yet whether this is possible yet, and I have read all related 
info with interest.

If you like we can try to join forces.

Robert


_

 


Robert,

You can python + COM your way to a browser startup zope/plone login 
screen.  I cannot see how you automate the authentication of a given 
browser instance that is then handed to your users.


Maybe someone will correct this.  If so everyone's happy.

Of course, you could make your plone site anonymous if you feel your 
secure by the time they get there.


David


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-04-02 Thread Maciej Wisniowski



during the next 4 weeks we will be prototyping a site.
One of the request we have to meet is SSO using
Active Directory to manage the users. One of the request
we *should* meet (I declined to commit ourselfs for this feature)
is that a user when logged into Windows she is automaticaly logged into
Plone. The server is running on a Linux box (SuSE 9.3 or later)
No idea yet whether this is possible yet, and I have read all related 
info with interest.

If you like we can try to join forces.



Hi!

I think you should take a loot at CAS (Central Authentication Service), 
there are
few user folders for Zope that can use this. The idea of automatic logon 
to plone

may be possibly done with CAS and ActiveDirectory or maybe with X509
certificates, tokens or such things.

--
Maciej Wisniowski
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope] single sign-on

2006-04-01 Thread Dieter Maurer
Fernando Martins wrote at 2006-3-30 22:08 +0200:
  I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since 
 the last is
  deprecated, is there any alternative?
 
 
 As documented: Zope as standalone server + an optional reverse proxy 
 (Squid/Apache). But no idea how this would solve a SSO issue.
 
 -aj
 

Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the 
required environmental variable REMOTE_USER to zope. I was asking about single 
sign-on alternatives for Zope.

In principle, the rewrite rules allow to specify environment extensions.
When I remember right, you use an E=... in the [P, ...] to call
for such an extension.


-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope] single sign-on

2006-04-01 Thread Fernando Martins
Dieter Maurer wrote:
 Yes, I understand the alternative to FastCGI, but mod_proxy
 doesn't pass the required environmental variable REMOTE_USER to
 zope. I was asking about single sign-on alternatives for Zope.

 In principle, the rewrite rules allow to specify environment extensions.
 When I remember right, you use an E=... in the [P, ...] to call
 for such an extension.


Indeed, I also looked into mod_rewrite (which I'm using anyway) and I
realised I could put the user id into the URL with %{LA-U:REMOTE_USER}.
That's a special case of %{ NAME_OF_VARIABLE }, required because this
variable is set by the authorization phases which come after the URL
translation phase where mod_rewrite operates.

The problem is that I have no knowledge of zope internals, including VHM.
And not much time (or money) to fix it. Any idea if it would be a simple
matter of patching RemotUserFolder or would it require additional patching
to VHM, etc?

If feasible, this could indeed be a nice solution, only with positive impact
(get rid of FastCGI).

Regards,
Fernando

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope] single sign-on

2006-04-01 Thread Fernando Martins
Dieter Maurer wrote:
 Yes, I understand the alternative to FastCGI, but mod_proxy
 doesn't pass the required environmental variable REMOTE_USER to
 zope. I was asking about single sign-on alternatives for Zope.

 In principle, the rewrite rules allow to specify environment extensions.
 When I remember right, you use an E=... in the [P, ...] to call
 for such an extension.

Actually, I see now you are referring to the substitution flags. This is
indeed env|E=VAR:VAL but the idea is to set an environmental variable which
can be later dereferenced in many situations, but usually from within XSSI
(via !--#echo var=VAR--) or CGI (e.g.  $ENV{'VAR'}). But, unless I'm
missing something, this solution hits the problem that environment variables
are not passed into zope (except through FastCGI).

Regards,
Fernando

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-04-01 Thread Paul Winkler
On Sat, Apr 01, 2006 at 03:20:22PM +0200, Fernando Martins wrote:
 Dieter Maurer wrote:
  Yes, I understand the alternative to FastCGI, but mod_proxy
  doesn't pass the required environmental variable REMOTE_USER to
  zope. I was asking about single sign-on alternatives for Zope.
 
  In principle, the rewrite rules allow to specify environment extensions.
  When I remember right, you use an E=... in the [P, ...] to call
  for such an extension.
 
 Actually, I see now you are referring to the substitution flags. This is
 indeed env|E=VAR:VAL but the idea is to set an environmental variable which
 can be later dereferenced in many situations, but usually from within XSSI
 (via !--#echo var=VAR--) or CGI (e.g.  $ENV{'VAR'}). But, unless I'm
 missing something, this solution hits the problem that environment variables
 are not passed into zope (except through FastCGI).

I've never tried those apache flags; but you might have a look
in zope's REQUEST.environ mapping ... maybe it Just Works?
*shrug*

-- 

Paul Winkler
http://www.slinkp.com
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-03-31 Thread Stefan H. Holek
You may want to contact Netsight(.co.uk), they have a working NTLM  
auth system for Zope/Plone. It's not gratis though, AFAIK. It's also  
possible to use ActiveDirectory for both Windows and Zope (via  
LDAPUserFolder).


Stefan


On 31. Mär 2006, at 09:03, Fernando Martins wrote:

Interesting to know about, but it seems to be restricted to web  
sso, whereas
I had in mind sso including the workstation login. It seems to be a  
full
authentication mechanism on its own and it doesn't integrate with  
existing
authentication systems, right? (no NTLM and it uses kerberos but on  
it's

own)

Thanks,
Fernando



--
Anything that happens, happens.  --Douglas Adams


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-03-31 Thread Robert Boyd
On 3/30/06, Fernando Martins [EMAIL PROTECTED] wrote:
 Hi,

 I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is
 deprecated, is there any alternative?


FastCGI is deprecated, but it still can be used, correct? I also use
it to pass REMOTE_USER from Apache to Zope (in a Shibboleth set-up),
and nobody has given me an alternative using rewrite and proxy.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope] single sign-on

2006-03-31 Thread Fernando Martins
Robert Boyd wrote:
 FastCGI is deprecated, but it still can be used, correct? I also use
 it to pass REMOTE_USER from Apache to Zope (in a Shibboleth set-up),
 and nobody has given me an alternative using rewrite and proxy.
 

Well, you'll get a warning of the deprecation at start time. That's all, I 
believe. But since it is deprecated, bug fixing/improvements will not be done, 
like this one:  filestream_iterator handling is not implemented for FastCGI 
protocol, see http://www.zope.org/Collectors/Zope/1647

Furthermore, I have another annoying problem with the current setup. I provide 
some files from the file system, through LocalFS, but it doesn't work with 
Apache+NTLM+FastCGI. Rather than getting the file I get the description of the 
object, like

open file '/work/docs/MyFile.PDF', mode 'rb' at 0x42310974

Regards,
Fernando

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


[Zope] single sign-on

2006-03-30 Thread Fernando Martins
Hi,

I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is
deprecated, is there any alternative?

TIA,
Fernando Martins

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-03-30 Thread Andreas Jung



--On 30. März 2006 21:16:09 +0200 Fernando Martins 
[EMAIL PROTECTED] wrote:



Hi,

I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is
deprecated, is there any alternative?



As documented: Zope as standalone server + an optional reverse proxy 
(Squid/Apache). But no idea how this would solve a SSO issue.


-aj

   ---
  -   Andreas JungZOPYX Ltd.  Co KG-
 -   E-mail: [EMAIL PROTECTED]   Web: www.zopyx.com, www.zopyx.de -
  ---


pgpIIuTsDy5Zx.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope] single sign-on

2006-03-30 Thread Fernando Martins
  Hi,
 
  I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since 
 the last is
  deprecated, is there any alternative?
 
 
 As documented: Zope as standalone server + an optional reverse proxy 
 (Squid/Apache). But no idea how this would solve a SSO issue.
 
 -aj
 

Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the 
required environmental variable REMOTE_USER to zope. I was asking about single 
sign-on alternatives for Zope.

Fernando

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-03-30 Thread Lennart Regebro
On 3/30/06, Fernando Martins [EMAIL PROTECTED] wrote:
 Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the 
 required environmental variable REMOTE_USER to zope. I was asking about 
 single sign-on alternatives for Zope.

Yale made a system called CAS, that workes fine for SSO. It's simple
and secure and easy to  implement.

My PAS plugin is available at http://www.zope.org/Members/regebro . I
have a CookieCrumbler type thingy somewhere too.

--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope] single sign-on

2006-03-30 Thread Fernando Martins

Lennart Regebro wrote:
 On 3/30/06, Fernando Martins [EMAIL PROTECTED] wrote:
  Yes, I understand the alternative to FastCGI, but mod_proxy
 doesn't pass the required environmental variable REMOTE_USER to
 zope. I was asking about single sign-on alternatives for Zope.

 Yale made a system called CAS, that workes fine for SSO. It's simple
 and secure and easy to  implement.

 My PAS plugin is available at http://www.zope.org/Members/regebro . I
 have a CookieCrumbler type thingy somewhere too.


Interesting to know about, but it seems to be restricted to web sso, whereas
I had in mind sso including the workstation login. It seems to be a full
authentication mechanism on its own and it doesn't integrate with existing
authentication systems, right? (no NTLM and it uses kerberos but on it's
own)

Thanks,
Fernando

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] single sign-on

2006-03-30 Thread Lennart Regebro
On 3/31/06, Fernando Martins [EMAIL PROTECTED] wrote:
 Interesting to know about, but it seems to be restricted to web sso, whereas
 I had in mind sso including the workstation login.

Ah. I dont know how (or if) you do that with CAS.

 It seems to be a full
 authentication mechanism on its own and it doesn't integrate with existing
 authentication systems, right? (no NTLM and it uses kerberos but on it's
 own)

It can use NTML as well, it's just a question of how you validate the
username and password. But it still means dual logins.



--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )