Hi all,

I'm a newbie to zope, working on installing a plone website for the radiology department at the University of Washington. I want to use SSO so that my content creators don't need to remember additional login/passwd for my site.

I've been working on getting apache proxying and pubcookie authentication to work with Zope (2.9.4? installed via the plone 2.5.1 installer and also by hand). Instructions for doing this can be found at http://www.washington.edu/webinfo/case/zope/

So far, the apache proxy and mod_pubcookie parts of the puzzle seem to be working just fine. I can protect a directory with AuthType UWNetID and all works as expected, and the proxy rewrites I've generated seem to be redirecting traffic from my port 80 apache instance to my zope instance as expected. Logging in at the pubcookie login server also works, but when I'm redirected back to my zope instance, I am prompted for a login/password, and no matter what I give, I am locked out.

I have been able to log in to my zope instance via localhost:8080/manage, and when I've added the 'access' file with my username, a colon, and a newline, no password is required to login. So I think the 'RemoteUserAuth' plugin described at the above site is working correctly.

I have debugged the interaction from the apache side as far as I am able, and I know that the appropriate headers are being sent to zope via the mod_fba module in apache. What I can't do, and what I need help with, is debugging the zope half of this interaction.

I don't fully grasp the way that user authentication works in zope. I'm not sure where to begin to look for the problem here, and I'm hoping someone can help. I'm a python newbie, so I might need a little hand-holding, but I'm an experienced programmer, and willing to do pretty much anything to figure this one out. The success of my plone site really depends on it.

The expected behavior is that mod_fba sets an authorization header with a username from pubcookie and sends it to zope with a page request for the ZMI. Zope is supposed to enter _remote_user_mode (as I understand it) because I've provided the 'access' file, and then set the credential name using that header. Zope then uses that name for authorization, taking for granted that it has been authenticated, and not checking passwords.

This appears to be happening correctly when I try to directly access the ZMI via localhost:8080/manage. I can give a user name and no password and am logged in as expected.

However, when I try to access the ZMI via apache (http://myhost.com/manage
which gets rewritten to http://localhost:8080/manage in apache proxy), I am prompted via basic auth for username and password, and anything I enter is rejected.

Can anyone help me to figure out how I can debug the interaction here? Perhaps taking a look at the headers that apache is supposed to be sending once they arrive in zope? Any other suggestions would be wholly and warmly welcomed.

Thanks for anything you might offer,


Cris Ewing
CME and Telehealth Web Services
Department of Radiology Web Services
University of Washington
School of Medicine
Work Phone: (206) 685-9116
Home Phone: (206) 365-3413

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to