En/na Fernando Martins ha escrit:
David H wrote:

You can python + COM your way to a browser startup zope/plone login
screen.  I cannot see how you automate the authentication of a given
browser instance that is then handed to your users.

Hmm, that's not automation in this sense. The user logins into the
workstation (Windows, don't know about unix), the user opens the browser and
accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will
then send authentication information to the Intranet server using the NTLM
protocol. The web server (Apache with NTLM module) checks with some internal
Domain server and sets the environmental variable REMOTE_USER. This is then
sent to a CGI or FastCGI app (zope with FastCGI).

Maybe someone will correct this.  If so everyone's happy.

Yes, local Intranet users love this, one less login, automatic recognition,
personalisation, instant gratification,... ;-)

It seems it is possible but a little convoluted.
WARNING this has only had very limited testing and it's *not* in production (and I'm not sure it will ever be).

The first hurdle is that with the proxying configuration (RewriteRule with the P flag) ntlm_mod sends "Proxy-Authenticate" instead of "WWW-Authenticate" and it didn't work, so the first thing I needed to do was to modify ntlm_mod.c to always request "WWW-Authenticate" (easy to do, just find any instance of "r->proxyreq" and change it to "r->proxyreq && 0". I didn't see this reported anywhere, so it could just be my local setup with apache 2.

Then in Apache I used the RequestHeader directive to add the remote user to the request *and* the E option in the RewriteRule to put the remote user in the environment (so that RequestHeader works),
i.e. (zope is served here under the test directory "t"):

<Location /t/>
        AuthName "A Protected Place"
        AuthType NTLM
        NTLMAuth On
        NTLMAuthoritative on
        NTLMServer yourhost
        NTLMBasicAuth on
        NTLMBasicRealm YOURREALM
        require valid-user

        RequestHeader set REMOTE_USER %{REMOTE_USER}e

RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} !443$
RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}:443/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} 443$
RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]

(note that this contortion with ssl may be due, again, to my setup. Note also that I didn't manage to make ntlm+ssl work with internet explorer, it works fine with firefox).

At this point zope should see an additional header REMOTE_USER (with the consequent security risk: you should make sure that nobody can directly access zope otherwise they can fake this header and pose as any user) which is available in request.environ as HTTP_REMOTE_USER.

Then it's just a matter of using PAS with the SharkbyteSSOPlugin (http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured to use HTTP_REMOTE_USER.

I'd suggest to change

   userid = request.get(self.uservar)


   userid = request.environ.get(self.uservar)

for a little more security - not that this setup seems really secure to me anyway, but I'm not a security expert ;-)

Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004      Fax +34 93 5883007
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to