Hash: SHA1

robert rottermann wrote:
> Tres Seaver wrote:
>> robert rottermann wrote:
>>>> Hi there,
>>>> I would like to use Session Auth Helper to authenticate a user after he
>>>> has logged into a site using Active Directory.
>>>> this are the steps I use to create the setup:
>>>> - add an ActiveDirectory Multiplugin
>>>>     - activate all services
>>>> - apply patches to have the groups working
>>>>     according instructions on Plone I install
>>>>         LDAPMultiPlugins-plone.org.patch from antiloop.plone.org
>>>> - add an Session Auth Helper
>>>>     - activate all three services (Reset Credentials,
>> UpdateCredentials,
>>>> Extraction)
>>>> - Up the session timeout of the site to 5 hours
>>>> Now my questions:
>>>> - do I have to change the sequence of the active plugins to avoid
>>>> contacting the AD server after a successful login
>>>>   (as long the session is active)
>>>>     it is like this now
>>>>         credentials_cookie_auth
>>>>        AD Multiplugin
>>>>        Session Auth Helper
>>>> - is there something else I have to take care of?
>> Yes, you want the session auth plugin to be registered *ahead* of the AD
>> / LDAP plugin, in the registration for IAuthenticateCredentials.  That
>> list looks like the one for IExtractCredentials (the cookie plugin can't
>> actually authenticate, it only retrieves credentials from the request).
>> Tres.
>> --
> thanks Tres,
> a stupid follow up question: what is ahead?
> (from the context of this mail) I assume this means above of AD?

Yes.  You want the session auth plugin to succeed before the PAS
consults the AD plugin.  As an alternative, you might look into enabling
caching for the AD plugin.

- --
Tres Seaver          +1 540-429-0999          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Zope-PAS mailing list

Reply via email to