Philipp von Weitershausen wrote:
Simon Hang wrote:
Dear all,
I'm trying to use apache as zope3's frontend, and do NTLM authentication
as well.
Well, traditionally it's been part of Zope's responsibility to do
credentials extraction and user authentication. That doesn't mean it
couldn't be done by the webserver in front of Zope; there might just be
other implications that you and I can't think of ;).
I've done:
1. Installed mod_ntlm for apache 1.3, and tested.
2. Create a VirtualHost for zope3 instance, forwarding http request
using rewrite engine. And tested.
Now I try to put things together => A virtualhost can do NTLM
authentication and forward request to zope3, my virtual configration of
apache as below:
<VirtualHost *:808>
DocumentRoot c:/myroot
Servername myserver
ErrorLog logs/myerror.log
CustomLog logs/myaccess.log common
RewriteEngine On
RewriteRule ^(/?.*)
http://localhost:8080/++vh++http:myserver:808/++$1 [P,L]
<Location "/">
<IfModule mod_ntlm.c>
AuthName "realm"
AuthType NTLM
NTLMAuth On
NTLMAuthoritative On
NTLMDomain mydomain
NTLMOfferBasic Off
NTLMBasicPreferred Off
require valid-user
</IfModule>
</Location>
</VirtualHost>
Everytime I try to access the page, the brower show me error message as
below:
Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g., bad
password), or your browser doesn't understand how to supply the
credentials required.
What's wrong in my settings?
Well, Zope 3 doesn't care that Apache has authenticated your user. It
doesn't see that. If you want the Zope 3 security system to interact
with Apache's, here's a suggestion (not sure if it'll actually work):
- Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
the "E" flag at the end of rewrite rule:
[P,L,E=REMOTE_USER:%{REMOTE_USER}]
Will that really work? env variables are only useful in CGI mode, but
proxying doesn't involve CGI. Rather I'd advise using additional
parameters to the URL, like we do here for Zope 2 for instance:
http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.conf
- Have a custom ICredentialsPlugin that's simply looks at this env
variable in the request for the log-in credentials. To challenge the
user for authentication, it would simply use the same authentication
realm as set in the apache.conf, so that it gets picked up by Apache
when the user provides the credentials.
And this plugin would have to get the credentials from the URL instead
of the env variable. I wish apache had a proper way to add request
headers during proxying...
Florent
- Have a custom IAuthenticatorPlugin that uses the credential data of
the former plug-in to create a principal object from it. It wouldn't
really need to do any actual authentication because that had already
been done by Apache. The only thing this plug-in needs to do is convert
the credentials data into an actual principal object.
Hope that helps.
Philipp
--
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
_______________________________________________
Zope3-users mailing list
[email protected]
http://mail.zope.org/mailman/listinfo/zope3-users
