Re: [Zope] Authentication after proxy
(Mon, Apr 07, 2008 at 06:11:33AM +0200) Andreas Jung wrote/schrieb/egrapse: --On 6. April 2008 20:46:57 -0400 Maslak, Michael [EMAIL PROTECTED] wrote: I have put the Zope server behind a reverse proxy using ssl. I think I have some of the Apache certificate problems solved. Zope asks me to authenticate once after accepting the ssl cert. But then it asks me to authenticate again and there are more certs to be accepted. I'm sure this is a common enough situation: Zope behind Apache rewrite rules on the target server that all lives behind a proxy server, all using ssl. Please provide your configuration with the rewrite rules. The rules for putting Zope behind Apache doing SSL are basically the same compared to a standard setup without SSL. ... and then, problems with Apache, Zope, and RewriteRules are almost totally in the realm of FAQs and resolved problems, please consult the relevant docs at: http://wiki.zope.org/zope2/ZopeAndApache (if you still have problems, see especially the section Debugging, Common Pitfalls, Problems) and then get your rewrite rules from the witch: http://betabug.ch/zope/witch The browser presenting multiple certs IMHO points to the rewriterule not being right and subsequent page elements being requested with different subdomains due to that. Regards, Sascha ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication after proxy
Maslak, Michael wrote at 2008-4-6 20:46 -0400: I have put the Zope server behind a reverse proxy using ssl. I think I have some of the Apache certificate problems solved. Zope asks me to authenticate once after accepting the ssl cert. Usually, Zope does not see the ssl cert at all -- only Apache. But then it asks me to authenticate again and there are more certs to be accepted. I cannot follow you. I fear you need to be very careful with the term cert. A login (either basic HTTP or a form based login) is not a cert. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication after proxy
--On 6. April 2008 20:46:57 -0400 Maslak, Michael [EMAIL PROTECTED] wrote: I have put the Zope server behind a reverse proxy using ssl. I think I have some of the Apache certificate problems solved. Zope asks me to authenticate once after accepting the ssl cert. But then it asks me to authenticate again and there are more certs to be accepted. I'm sure this is a common enough situation: Zope behind Apache rewrite rules on the target server that all lives behind a proxy server, all using ssl. Please provide your configuration with the rewrite rules. The rules for putting Zope behind Apache doing SSL are basically the same compared to a standard setup without SSL. -aj pgpWp6MGZX6HX.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication on a Folder?
--On 11. September 2006 01:05:01 -0700 Ferhat Ayaz [EMAIL PROTECTED] wrote: Hi, I want to restrict access to a subfolder: Folder structure: - Root Folder +- MySite +- Admin Access limitation: - My Site: Public for all Admin: Only with Basic Authentication Why basic authentication? In general you control access to objects by granting or revoking a particular permission (in your case the View permission) to roles/from roles (see Access tab within the ZMI). -aj pgp0PrcrhDoHr.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication on a Folder?
argh, yes thanks. It's better then basic auth. (and easier) But know I'm standing against the problem: calling Scripts from an authentication Folder within the application server. + MySite : index_html |-+ Admin : getUser In index_html: p tal:content=container/Admin/getUser/ will an authenticated user. But the page template MySite/index_html should have access to the Script Admin/getUser. I don't know how to do this.?? thanks, Ferhat --- Andreas Jung [EMAIL PROTECTED] wrote: --On 11. September 2006 01:05:01 -0700 Ferhat Ayaz [EMAIL PROTECTED] wrote: Hi, I want to restrict access to a subfolder: Folder structure: - Root Folder +- MySite +- Admin Access limitation: - My Site: Public for all Admin: Only with Basic Authentication Why basic authentication? In general you control access to objects by granting or revoking a particular permission (in your case the View permission) to roles/from roles (see Access tab within the ZMI). -aj __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem with migration from Zope 2.6.1 to Zope 2.9.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please keep this on the list. I am not some personal help desk, unless you pay me. Are you sure the DTML method is finding the correct obect to call findUsers on? ya, am sure n confirmed tht the object i mean LDAP directory server is found and shows up in the acl_users folder. it does not show any message not connected which is the case when it can find the object. You don't understand what I am talking about. When you cann findUsers, have you confirmed that the object you call it on is the user folder? The exception says there is no findUsers method on the object, so it is probably not using the right object. Pls let me know how to configure the application so that the basic authentication pop-up dialog comes up when we access the URL(this happens in our old installation). You don't get what people try to tell you: This is not an authentication problem. The problem is with the exception that clains there is no findUsers method. This exception happens before authentication kicks in. jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFBSYFRAx5nvEhZLIRAq3xAJ446mvb9hsapSzg2HWxhufqq3JyQACgukpw B8uL9z8xKexlUmnFjf7Fkso= =SRCs -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication on a Folder?
Ferhat Ayaz wrote: In index_html: p tal:content=container/Admin/getUser/ will an authenticated user. But the page template MySite/index_html should have access to the Script Admin/getUser. I don't know how to do this.?? I think you're looking for Proxy Roles... Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication on a Folder?
hmm. But isn't it a hard work to set each script a specific permission instead of setting (I don't know how) the contained folder to the right permission? I want give to all Scripts full access, if these are called from another ZObject (page templates, etc.). but I don't want, that this script can be called via a web browser, because this scripts will modify the database. --- Chris Withers [EMAIL PROTECTED] wrote: Ferhat Ayaz wrote: In index_html: p tal:content=container/Admin/getUser/ will an authenticated user. But the page template MySite/index_html should have access to the Script Admin/getUser. I don't know how to do this.?? I think you're looking for Proxy Roles... Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication on a Folder?
From: Ferhat Ayaz [EMAIL PROTECTED] Sent: Monday, 11 de September de 2006 9:57 Hello. But know I'm standing against the problem: calling Scripts from an authentication Folder within the application server. + MySite : index_html -+ Admin : getUser In index_html: p tal:content=container/Admin/getUser/ will an authenticated user. But the page template MySite/index_html should have access to the Script Admin/getUser. I don't know how to do this.?? p tal:content=here/getUser/ Create a getUser in MySite and another one in Admin. If your don't want/can't do this, you could always try to play around with proxy roles. Best regards, @500, Nbk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem with migration from Zope 2.6.1 to Zope 2.9.4
hello andreas, thanks for the response. u said Import/Export is supported between Identical installations only, then can u pls tell me how to migrate an application from an older version of zope to a newer version ? reg LDAPUF versions...we hv LDAPUF vers 2.2beta on old server. on the new system we hv installed LDAPUF version 2.7. following is the error i get when i access the URL Error : AttributeError ErrorValue : findUser pls note that no authentication dialog pops up unlike on old server. it is trying to run as Anonymous User(i confirmed this by commenting authentication part of the code..i was able to get to the home page). Ur valuable suggestions will be greatly helpful. thanks and regards -Yogeen Please let me know what may be the problem ? --- Andreas Jung [EMAIL PROTECTED] wrote: --On 7. September 2006 22:37:43 -0700 yogeen honnavar [EMAIL PROTECTED] wrote: Dear users, we have a zope application on an older system running Redhat 7.2 and Zope 2.6.1 with python 2.1. Now we wish to migrate the application to latest stable relase of zope 2.9.4 with python 2.4.3 we hv installed zope 2.9.4 and imported the application through .zexp file. Export/import is *only supported* between *identical* installations. this application uses LDAPUserFolder for authenticating against an LDAP server. After importing the application we recreated LDAPUserFolder instance as per the instructions. Now the problem is, when we access the application the Authentication pop-up dialog is not coming up and the application is trying to search the LDAP directory for. L Anonymous user and since the user does not exist in LDAP it is returning error Error: findUser. In the old zope server basic authentication dialog pops up when we access the URL. Can anyone suggest how to solve this problem ? How to configure the application as protected resource(we are using the built-in ZServer) so that authentication dialog pops up when the URL is accessed ? any help would be greatly appreciated. In every case you should provide reasonable version information about the installted LDAPUF versions and provide the related traceback.. -aj __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem with migration from Zope 2.6.1 to Zope 2.9.4
hello andreas, am hereby giving the trace from log file. other than LDAPUF we r not using any other 3rd party products. what i want is just to get basic authentication popup dialog to come. if it comes then the problem will be solved i guess. is there a way to configure the application so that the popup dialog pops up when the application is accessed ? coz the error mesg is that its trying find user Anonymous in LDAP and not finding. if popup comes then it may pass the entered username/password to LDAPUF i guess. I have not yet tried migrating by just copying the Data.fs file. i'll try it out soon. till now i hv tried using import/export. please help. thanks and regards -yogeen trace : 2006-09-08T14:38:52 ERROR Zope.SiteErrorLog http://systemIP:8080/isac/PGA/index_html Traceback (innermost last): Module ZPublisher.Publish, line 115, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 41, in call_object Module OFS.DTMLDocument, line 128, in __call__ - DTMLDocument at /isac/PGA/index_html - URL: http://systemIP:8080/isac/PGA/index_html/manage_main - Physical Path: /isac/PGA/index_html Module DocumentTemplate.DT_String, line 476, in __call__ Module OFS.DTMLMethod, line 137, in __call__ - DTMLMethod at /isac/PGA/cl_index_html - URL: http://systemIP:8080/isac/PGA/cl_index_html/manage_main - Physical Path: /isac/PGA/cl_index_html Module DocumentTemplate.DT_String, line 476, in __call__ Module DocumentTemplate.DT_Let, line 75, in render Module DocumentTemplate.DT_Util, line 196, in eval - __traceback_info__: cl Module string, line 1, in expression Module DocumentTemplate.DT_Util, line 160, in render Module OFS.DTMLMethod, line 137, in __call__ - DTMLMethod at /isac/PGA/cl/areYouCLpaRecoSanc - URL: http://systemIP:8080/isac/PGA/cl/areYouCLpaRecoSanc/manage_main - Physical Path: /isac/PGA/cl/areYouCLpaRecoSanc Module DocumentTemplate.DT_String, line 476, in __call__ Module DocumentTemplate.DT_Let, line 76, in render Module DocumentTemplate.DT_Let, line 75, in render Module DocumentTemplate.DT_Util, line 196, in eval - __traceback_info__: _ Module string, line 1, in expression AttributeError: findUser --- Andreas Jung [EMAIL PROTECTED] wrote: --On 8. September 2006 01:04:16 -0700 yogeen honnavar [EMAIL PROTECTED] wrote: hello andreas, thanks for the response. u said Import/Export is supported between Identical installations only, then can u pls tell me how to migrate an application from an older version of zope to a newer version ? To be honest: that's *your* problem :-) If you upgrade *only* your Zope with unchanged 3rd party-products (identical versions) then there is a chance the upgrading by copying the Data.fs and/or export/import might work. But export/import *is not* a migration tool. Migrations are specific to your products and your app. reg LDAPUF versions...we hv LDAPUF vers 2.2beta on old server. on the new system we hv installed LDAPUF version 2.7. following is the error i get when i access the URL Error : AttributeError ErrorValue : findUser I asked about the *full traceback*. This excerpt is useless. -aj __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem with migration from Zope 2.6.1 to Zope 2.9.4
yogeen honnavar wrote at 2006-9-8 03:10 -0700: ... trace : 2006-09-08T14:38:52 ERROR Zope.SiteErrorLog http://systemIP:8080/isac/PGA/index_html Traceback (innermost last): ... Module OFS.DTMLMethod, line 137, in __call__ - DTMLMethod at /isac/PGA/cl/areYouCLpaRecoSanc - URL: http://systemIP:8080/isac/PGA/cl/areYouCLpaRecoSanc/manage_main - Physical Path: /isac/PGA/cl/areYouCLpaRecoSanc Module DocumentTemplate.DT_String, line 476, in __call__ Module DocumentTemplate.DT_Let, line 76, in render Module DocumentTemplate.DT_Let, line 75, in render Module DocumentTemplate.DT_Util, line 196, in eval - __traceback_info__: _ Module string, line 1, in expression AttributeError: findUser What you see is *not* an authentication problem but a DTML method (DTMLMethod at /isac/PGA/cl/areYouCLpaRecoSanc) no longer fitting the implementation: it expects a method findUser and this is no longer there. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem with migration from Zope 2.6.1 to Zope 2.9.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8 Sep 2006, at 21:53, Dieter Maurer wrote: yogeen honnavar wrote at 2006-9-8 03:10 -0700: Module string, line 1, in expression AttributeError: findUser What you see is *not* an authentication problem but a DTML method (DTMLMethod at /isac/PGA/cl/areYouCLpaRecoSanc) no longer fitting the implementation: it expects a method findUser and this is no longer there. The method still exists in version 2.7, so something else must be amiss. Does the product show up as installed correctly when you go to the Control_panel in the ZMI and click on Product Management? Do you see any error output when starting Zope in the foreground (- set debug_mode to on in zope.conf and then start the instance with zopectl fg). Are you sure the DTML method is finding the correct obect to call findUsers on? You don't provide enough details I'm afraid. jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFAdQZRAx5nvEhZLIRApX9AJ90+w/ZtyWp1mUnsAeI+5AuJPc7sgCfZmll Wcl6lcBK96XKo9K+a+p3nfg= =2AKA -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem with migration from Zope 2.6.1 to Zope 2.9.4
--On 7. September 2006 22:37:43 -0700 yogeen honnavar [EMAIL PROTECTED] wrote: Dear users, we have a zope application on an older system running Redhat 7.2 and Zope 2.6.1 with python 2.1. Now we wish to migrate the application to latest stable relase of zope 2.9.4 with python 2.4.3 we hv installed zope 2.9.4 and imported the application through .zexp file. Export/import is *only supported* between *identical* installations. this application uses LDAPUserFolder for authenticating against an LDAP server. After importing the application we recreated LDAPUserFolder instance as per the instructions. Now the problem is, when we access the application the Authentication pop-up dialog is not coming up and the application is trying to search the LDAP directory for. L Anonymous user and since the user does not exist in LDAP it is returning error Error: findUser. In the old zope server basic authentication dialog pops up when we access the URL. Can anyone suggest how to solve this problem ? How to configure the application as protected resource(we are using the built-in ZServer) so that authentication dialog pops up when the URL is accessed ? any help would be greatly appreciated. In every case you should provide reasonable version information about the installted LDAPUF versions and provide the related traceback.. -aj pgp4Tr5AaKIv8.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication problems on FreeBSD with Apache
First off, bypass apache and go straight to zope - typically port 8080. Did you make note of the superuser name and password the installation script produced? If not, use zpasswd.py to create a new one. I'm presuming that you're using 2.2.x. Don't forget to create a manager user and switch to it after you get logged in as the superuser. Search on zope.org for 'apache'. Bill. On Thu, 11 Jan 2001, Drew Sanford wrote: I have recently installed Zope on FreeBSD running the Apache web server. When I attempt to access the management page from http://my.web.server/cgi-bin/Zope.cgi I get authentication failures. I'm sure there are things that I've missed in what I've seen, and the section on running Zope with Apache in the manual isn't done yet. Can anyone point me towards some of the known issues here as far as what someone clueless about Zope but reasonably familiar with Apache might need to do to get authentication working? ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication problems on FreeBSD with Apache
hi, Did you create an Administrators account in zope and set the passwd for it? j. .. . Jason C. Leach ... University College of the Cariboo. .. On Thu, 11 Jan 2001, Drew Sanford wrote: I have recently installed Zope on FreeBSD running the Apache web server. When I attempt to access the management page from http://my.web.server/cgi-bin/Zope.cgi I get authentication failures. I'm sure there are things that I've missed in what I've seen, and the section on running Zope with Apache in the manual isn't done yet. Can anyone point me towards some of the known issues here as far as what someone clueless about Zope but reasonably familiar with Apache might need to do to get authentication working? ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem : External method returning object
Here is the external method "testexternal": class AClass: [Dieter Maurer] You will need (or something like this): __access_to_unprotected_subobjects__= 1 def __init__(self): It works a treat. Thanks! Sean ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem : External method returning object :Zope 2.2.4Zope 2.2.4
Hi Sean Sean McGrath writes: ... I have an external method that returns an object. I have a dtml method that tries to reference an attribute of that object. The attempted attribute reference causes the HTTP authenticate dialog to appear. No username/password seems to appease it. Have you read Byan's "Upgrading to Zope 2.2"? Here is the external method "testexternal": class AClass: You will need (or something like this): __access_to_unprotected_subobjects__= 1 def __init__(self): Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication Problem : External method returning object : Zope 2.2.4
Sean McGrath [EMAIL PROTECTED] wrote: All, I'm just a country boy raised on mashed potatoes and Zope 2.1.6. The new security model up here in the bright lights/big city world of Zope 2.2.4 has me all confused:-) I have an external method that returns an object. I have a dtml method that tries to reference an attribute of that object. The attempted attribute reference causes the HTTP authenticate dialog to appear. No username/password seems to appease it. Here is the relevant part of the DTML: dtml-call "REQUEST.set('foo',testexternal(REQUEST,RESPONSE))" dtml-var "foo.X" Here is the external method "testexternal": You need to tell Zope's security policy that untrusted code can read the attributes of instances of AClass, like so: class AClass: __allow_access_to_unprotected_subobjects__ = 1 def __init__(self): self.X = 1 self.Y = 2 def testexternal (self,REQUEST,RESPONSE): A = AClass() return A Thanks in advance, Sean McGrath Tres. -- === Tres Seaver[EMAIL PROTECTED] Digital Creations "Zope Dealers" http://www.zope.org ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] authentication II
Olaf Zanger wrote: hi everybody, after a long 10h struggle with installing and running zope i found some interesting things. may anybody be able to explain these to me? i run a suse7.0 system with a suse zope installation on 8080. i changed the access file to a new account name. with this account name i can do everything in zope, add users, add files, copy, paste ... if i add a new user i can not login for adding files ... aren't they made for that? You can use them for anything ;) What each can do is determined by their roles. do i understand anything wrong? are they probably only for content access? What roles did you give to these new users ? -- Hannu ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] authentication
Hi Olaf, Have you read the "security" section of the "Zope Book" draft? It's linked from the front page of Zope.org. - Original Message - From: "Olaf Zanger" [EMAIL PROTECTED] To: "Zope Mailinglist" [EMAIL PROTECTED] Sent: Wednesday, November 29, 2000 1:45 AM Subject: [Zope] authentication hi everybody, i can run different versions of zope and login as superuser, setup an other user and change superuser account name and password. unfortunately i don't get authenticated when i want to login as user. means i can do no work with content at all in zope. is it normal that when i go to change the user password it shows a different amount of *s there? how does the authentication work? do any files have to be at special places for authentication? do any files need any special permission for this? my system i have it run under wwwrun:nogroup and the directory /opt/zope is root:root /opt/zope/var is wwwrun:nogroup and 755 except of files Z2.log, pcgi.soc, zProcessManager.pid that are root:root i installed zope 2.2.2, 2.2.4, compiled a 2.2.4, used an rpm, always the same problem latest i used an installation description for suse 6.4 ... -- no help did a lot as you see my system is a suse linux 7.0 with the update to kde2.0 -- soli-con Engineering Zanger Dipl.-Ing. (FH) Olaf Zanger Nusch Lorrainestrasse 23 3013 Bern / Switzerland Fon: +41-31-332 9782 Mob: +41-76-572 9782 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.soli-con.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] authentication
I'd be willing to bet that you're not properly giving the "Manager" role to the content management user you create. You need to select "Manager" from the list of roles shown on the user creation form when you create the user. - Original Message - From: "Olaf Zanger" [EMAIL PROTECTED] To: "Chris McDonough" [EMAIL PROTECTED] Sent: Wednesday, November 29, 2000 7:04 AM Subject: Re: [Zope] authentication hi chris, Have you read the "security" section of the "Zope Book" draft? It's linked from the front page of Zope.org. absolutley i did, i read every docu i could get hands on, plus i searched google ... doesn't help do you have any answers to my questions ? would be of great help i can run different versions of zope and login as superuser, setup an other user and change superuser account name and password. unfortunately i don't get authenticated when i want to login as user. means i can do no work with content at all in zope. is it normal that when i go to change the user password it shows a different amount of *s there? how does the authentication work? do any files have to be at special places for authentication? do any files need any special permission for this? my system i have it run under wwwrun:nogroup and the directory /opt/zope is root:root /opt/zope/var is wwwrun:nogroup and 755 except of files Z2.log, pcgi.soc, zProcessManager.pid that are root:root i installed zope 2.2.2, 2.2.4, compiled a 2.2.4, used an rpm, always the same problem latest i used an installation description for suse 6.4 ... -- no help did a lot as you see my system is a suse linux 7.0 with the update to kde2.0 -- soli-con Engineering Zanger Dipl.-Ing. (FH) Olaf Zanger Nusch Lorrainestrasse 23 3013 Bern / Switzerland Fon: +41-31-332 9782 Mob: +41-76-572 9782 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.soli-con.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication problem when accessing ZSQL method
Dieter Maurer wrote: authenticate by my browser. I can't see anything in the security attributes for the SQL method which requires authentication, and I can 'test' the ZSQL method succesfully without requiring authentication. You must grant the "use database methods" to "Annonymous". I think it's better to criate a special role, give to this role the permission to "use database methods" and to give proxy role to the methods that make authentication and uses the database connection and ZSQL methods. I think it's documented in the "GenericUserFolder with MySQL HOWTO" (or something like it)... []s -- +-+-+ | César A. K. Grossmann | Capacitação Solidária | | [EMAIL PROTECTED]| http://www.uol.com.br/umminuto/ | | http://members.xoom.com/ckant/ | Clique e doe - é de graça | +-+-+ http://www.halcyon.com/sciclub/cgi-pvt/instr/instr.html If you're not careful, you're going to catch something. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Every user should have the Anonymous role everywhere(was :Re: [Zope] Authentication, Anonymous and Public)
On Sun, 2 Jul 2000, Dieter Maurer wrote: Chris Withers writes: Dieter Maurer wrote: In Zope, each user has a set of roles. Any user has the "Anonymous" role. Log-in users may have additional roles. I'm not convinced this is true... The Content Manager Guide (Security, Authorization) states it this way: The "Anonymous" role, which all users have implicitly, Ahh... I thought I saw this somewhere. Either a bug in the documentation, or in BasicUserFolder. Either way it should go in the collector. Since few (if any) of the user folders use this, it may be best handled in the Zope source if it is decided that it isn't a documentation error. -- Stuart Bishop Work: [EMAIL PROTECTED] Senior Systems Alchemist Play: [EMAIL PROTECTED] Computer Science, RMIT University ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Every user should have the Anonymous role everywhere(was :Re: [Zope] Authentication, Anonymous and Public)
Stuart Bishop wrote: or in BasicUserFolder. Either way it should go in the collector. Issue 1391, or in a slightly different phrasing, Issue 467 cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication, Anonymous and Public
On Fri, 30 Jun 2000, Dieter Maurer wrote: Capesius, Alan writes: I'm running into a problem after implementing jcNTUserFolder in a subfolder of my site. Users can access the root level or particular subfolders anonymously. Once a user accesses the protected NTUserFolder, the credentials are saved in the browser. If the user then returns to the anonymous area, they can no longer access th folder due to the browser credentials. Does Zope have a mechanism equivalent to the Novell NDS Public access? that is to say: Anonymous = not authenticated. Everyone = authenticated users (that are members of the group) Public = authenticated and anonymous users. In Zope, each user has a set of roles. Any user has the "Anonymous" role. Log-in users may have additional roles. Thus, what you see, should not happen. Users, by default, are not granted the 'Anonymous' role. If you explicity grant the Anonymous role to your users you will get the behaviour you want. Earlier than current versions of GUF automatically did this, but I changed it in the later releases after I saw the error pointed our by Ty or Phillip - this may be a source of some confusion. This email live from drizzly Queensland :-( -- Stuart Bishop Work: [EMAIL PROTECTED] Senior Systems Alchemist Play: [EMAIL PROTECTED] Computer Science, RMIT University ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication, Anonymous and Public
Dieter Maurer wrote: A user that does not log in, i.e. a user you know nothing of, gets the "Anonymous" role automatically (at least with "acl_users"). A logged in user may not get the "Anonymous" role. This does not provide additional security, because this user may simply shut down his browser and access the page again as anonymous user. On the other hand, it may result in surprises: suddenly (after a log on) I can no longer do things that I was able to do before the log on. I think, this should be changed. I agree, and I've said so, many times before ;-) Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Every user should have the Anonymous role everywhere (was :Re: [Zope] Authentication, Anonymous and Public)
Dieter Maurer wrote: In Zope, each user has a set of roles. Any user has the "Anonymous" role. Log-in users may have additional roles. I'm not convinced this is true... The Content Manager Guide (Security, Authorization) states it this way: The "Anonymous" role, which all users have implicitly, ...and check out the last time the Content Manager's Guide was updated ;-) Seriously, though, I think this SHOULD be true, although I'm pretty sure it isn't. This is natural, too. Why should a registered user have less authorization than an anonymous one. Or, to put it another way, just because an acl_users folder doesn't know anything about a user, why should that user not have the anonymous role? Thus, two reasons to change the Zope authorization, such that each user has implicitely the "Anonymous" role, if this is not the case now. I totally agree :-) Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Every user should have the Anonymous role everywhere (was :Re: [Zope] Authentication, Anonymous and Public)
Chris Withers writes: Dieter Maurer wrote: In Zope, each user has a set of roles. Any user has the "Anonymous" role. Log-in users may have additional roles. I'm not convinced this is true... The Content Manager Guide (Security, Authorization) states it this way: The "Anonymous" role, which all users have implicitly, This is natural, too. Why should a registered user have less authorization than an anonymous one. Thus, two reasons to change the Zope authorization, such that each user has implicitely the "Anonymous" role, if this is not the case now. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Every user should have the Anonymous role everywhere (was :Re: [Zope]Authentication, Anonymous and Public)Authentication, Anonymous and Public)
Dieter Maurer wrote: In Zope, each user has a set of roles. Any user has the "Anonymous" role. Log-in users may have additional roles. I'm not convinced this is true... Quoting from the LoginManager CHANGES.TXT file: Generic User Source, like the GenericUserFolder product it was inspired by, gave all users the Anonymous role. This seems to be incorrect according to what other user folders do, including the standard Zope version, so GUS now no longer does this. ...which is why Alan experiences this problem. I've also run into it just using a normal acl_users folder and I've been mentioning every few months since I bumped into it back in March. Here's my opriginal post: http://zope.nipltd.com/public/lists/dev-archive.nsf/ByKey/82AE22A20C7E88AE I wish this could get sorted out as it makes security a nightmare unless you use a web of local roles, which is painful and messy to maintain. Is there any reason why every user shouldn't have the anonymous role for every accessible page/object/thing visitable through a protocol? cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Authentication, Anonymous and Public
I thought the same. Perhaps the use of NT User causes this? Since the browser has the credentials to authenticate to NT and the higher folders are not aware of the NT User Folder... Seems the only solutions are to use the NT User Folder at the root level. Thanks -- From: Dieter Maurer[SMTP:[EMAIL PROTECTED]] Sent: Friday, June 30, 2000 4:40:26 PM To: Capesius, Alan Cc: [EMAIL PROTECTED] Subject:Re: [Zope] Authentication, Anonymous and Public Auto forwarded by a Rule Capesius, Alan writes: I'm running into a problem after implementing jcNTUserFolder in a subfolder of my site. Users can access the root level or particular subfolders anonymously. Once a user accesses the protected NTUserFolder, the credentials are saved in the browser. If the user then returns to the anonymous area, they can no longer access th folder due to the browser credentials. Does Zope have a mechanism equivalent to the Novell NDS Public access? that is to say: Anonymous = not authenticated. Everyone = authenticated users (that are members of the group) Public = authenticated and anonymous users. In Zope, each user has a set of roles. Any user has the "Anonymous" role. Log-in users may have additional roles. Thus, what you see, should not happen. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication question.
I don't know if my experience is any use. I'm developing a site with a postgresql backend and I want users to be able to enter data over the web, and I want to know who has entered what data. So only registered users can access the pages which allow data entry. I set up a GUF (Generic User Folder) and used the How-to on using GUF with SQL. This checks the login and password against Postgress and of course I can then look-up the user-id whenever I want to 'stamp' data with that user-id. I had some problems when testing the system using the 'super-user' since it wouldn't do sql-lookups for that user (this was Zope 2.1.4). Unfortunately since installing the latest release of GUF I can't get it to work at all, except as super-user (not even in standard non-sql mode). I'm waiting to see what happens in this area as I would hope that login manager or something coming out of the PTK would be the way to go. Unfortunately Zope, and associated products seems to be in state of rapid change and there are quite a few unknowns at the moment. If you'd like any details of my code just get back to me. Regards Richard At 15:00 23/06/00 -0400, you wrote: hi folks, we are building an application that needs more information for users than that which is made available via the acl_users db (which can only contain username, password, domains, and roles). specifically, we have created an RDBS database which tracks users via a numeric user id (and speeds lookups), all tables are related via this integer variable. we are having difficulty, though, in that, zope continues to want to build a new user entry only via acl_users. has anyone done something that will allow us to get around this. i have been searching all the various search engines and zope list archives looking for something along these lines, and i find a lot of stuff on how zope authentication "out of the box" works though nothing on how to get the authentication to work via another means. i suspect it might require some editing of the base python code, but i am hoping that this can be done from within the Products directory and not in the preconpiled code. any insights would be greatly appreciated. thanks. ciao! greg. Gregory Haley venaca.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) Richard Moon [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )