ZEO, FastCGI and Shibboleth
Hey Zope-Dev, We're currently in the middle of a UK JISC funded project to evaluate the use of Shibboleth in authenticating access to electronic learning resources in a Medical Education environment... we use Zope and ZEO extensively already, in providing an online learning environment, personal diaries and progress portfolios and many other aspects of the MB BS degree scheme here at Newcastle. I've been looking at the ways in which others have 'shibbolized' their Zope systems... and most (well, the only ones I can find any technical documentation on) have used the Apache + FastCGI approach, along with the RemoteUserFolder product. I've already had test infrastructure in place and have tested with client side certificates in place of a working Shibboleth server (passing the Client cert CN as the remote user variable) and everything works rather well. The problem I'm facing is that the vast majority of the services we offer are hosted on multiple ZEO nodes, behind a load balancing front end server. This was a completely new infrastructure put in place less than a year ago - replacing a monolithic (and ageing!) Sun Enterprise system... Each node is lightweight, hosting only a ZEO instance... a physically separate Apache server is used very rarely, and mainly only for serving static content (static content URLs are caught by the load balancer and sent off to Apache)... this setup has given us excellent performance, and reducing Apache to a static content serving role has simplified things greatly... so we are reticent to change this. The only way I can see the Apache/FastCGI/ModShibboleth and Zope/RemoteUserFolder setup working, is if each ZEO instance has its own Apache server sitting in front of it.... which is something we have moved away from for obvious reasons. Has anyone any thoughts about how to go about shibboleth enabling a whole host of ZEO instances... without each one having an Apache server sitting in front of it? Or is there an alternative method out there that perhaps is not widely known? I know Zope4EDU is enabled, out of the box, but the licensing costs are simply not affordable for the number of hosts (6 discrete hosts), sites (at least half a dozen) and cpu's (12/14+) that we would be using... Regards -John John Snowdon - IT Support Specialist -==========================================- School of Medical Education Development Faculty of Medical Sciences Computing University of Newcastle
On 2005-04-25 06:58:17 -0400, "John Snowdon" <J.P.Snowdon@newcastle.ac.uk> said:
Has anyone any thoughts about how to go about shibboleth enabling a whole host of ZEO instances... without each one having an Apache server sitting in front of it? Or is there an alternative method out there that perhaps is not widely known?
We'd contemplated doing more work with PAS and Shibboleth to actually get Zope to do the equivalent of mod_shibboleth, but it never went anywhere. We stick Zope behind Apache (or some other proxying system - Squid, et al.) as a matter of course, so it was a no-brainer to just use mod_shibboleth in situ. We've posted the contents (modulo any specific policy) of our Shibboleth implementation for PAS. It amounts to a few Scriptable Plugins to handle the specific HTTP headers that get scribbled on a Shibboleth session. Here's the message: <http://mail.zope.org/pipermail/zope-pas/2005-March/000314.html> Zac
participants (2)
-
John Snowdon -
Zachery Bir