Hi, we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and CookieCrumbler in use. One of our next goals is to integrate the Single-Sign-On-Ticket feature of SAP-Portal. SAP sent a cookie called MYSAPSSO2 which contains a certified signature and the Login-Name of a user. Normally the Login-Name will be validated by LDAPUserFolder with password against LDAP-Directory and the roles of the user will be assigned to the user object. We have now an external web-service which can validate the MYSAPSSO2-Ticket and return the Login-Name. I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory. Any ideas ? Maybe comments by Jens or Shane ? Regards, Dirk -- Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++
I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory.
What *specifically* does not work? Have you tried it and developed a list of features that are missing for it to work? jens
Jens Vagelpohl schrieb:
I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory.
What *specifically* does not work? Have you tried it and developed a list of features that are missing for it to work?
jens
I'm starting at the beginning :) I have a web-service that accepts a MYSAPSSO2-Cookie and return the User-Name if the signature included in the MYSAPSSO2-Cookie can be verified. I have a zope with CookieCrumber/LDAPUserFolder connected to LDAP-directory. The LDAPUserFolder can be configured anonymous or to use a managers-DN to access the LDAP-directory. Normally a user would enter a form-based password on first login and the CookieCrumber will sent back a Cookie were the authentication result of LDAPUserFolder is stored for next requests. My idea in first step is now that the CookieCrumber can take the MYSAPSSO2-Cookie, sent the MYSAPSSO2-Cookie to the external web-service, which return the real user-name, this user-name will be forwared/used by LDAPUserFolder as an authenticated user (no authenticated bind with the user-name, only bind anonymously or with managers-DN to read the roles of the user) and LDAPUserFolder/LDAPUserSatellite will read the assigned LDAP-groups and maps them to Zope-Roles. Does this description help to understand me ? I don't know :) Regards, Dirk -- Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++
Hi Marco, Marco Bizzarri schrieb:
I'm not sure this could work for you... I've tried integrating Zope with
an SSO system, which did not provide any authentication other than setting a correct REMOTE_USER in the REQUEST (we did it behind Apache).
We succeded by subclassing CookieCrumbler so that it was able to deal with
those situations.
Also, we were working with Zope in Remote User Mode.
I can provide the code, if necessary.
Regards Marco
Yes, any code, any idea is welcome. Thanks, Dirk -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
Hi Mark, Mark Hammond schrieb:
I would suggest looking at PAS. You would write an "extraction" plugin for PAS, and use the PAS LDAPMultiPlugin (from dataflake) for user properties and role/group enumeration. Your PAS plugin then only has the job of creating a "user id" suitable for use with the LDAP plugin (ie, the same 'id' that LDAPUF is configured to use). PAS has had a number of recent changes - you should look at the CVS versions (of PAS and the dataflake stuff) rather than the released versions if you want to avoid migration
work
in the future.
http://www.zope.org/Members/urbanape/PluggableAuthService
mailing list at:
I like the idea of PAS and I have downloaded PluginRegistry, PAS and LDAPMultiPlugin. I made a MySapSsoCookieAuthHelper, which will take the MYSAPSSO2-Cookie, sent this to the external Validation Service. Since this service will return the login name which is identical to the LDAP-User I hopefully only have to work for reading the LDAP-Attributes and roles. One question about PAS/LDAPMultiPlugin and LDAPUserFolder/LDAPUserSatellite: We work a lot with LDAPUserSatellite in different Folders, which will change local roles of users. Is this also possible with PAS/LDAPMultiPlugin ? Thanks for that hint. Dirk -- Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++
On 26 Jun 2005, at 14:57, Dirk Datzert wrote:
One question about PAS/LDAPMultiPlugin and LDAPUserFolder/ LDAPUserSatellite:
We work a lot with LDAPUserSatellite in different Folders, which will change local roles of users. Is this also possible with PAS/LDAPMultiPlugin ?
No it is not. It requires cooperation from the user class emitted by the user folder. PAS uses its own user class which does not have the needed hooks. jens
Dirk Datzert wrote:
Hi,
we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and CookieCrumbler in use.
One of our next goals is to integrate the Single-Sign-On-Ticket feature of SAP-Portal.
SAP sent a cookie called MYSAPSSO2 which contains a certified signature and the Login-Name of a user.
Normally the Login-Name will be validated by LDAPUserFolder with password against LDAP-Directory and the roles of the user will be assigned to the user object.
We have now an external web-service which can validate the MYSAPSSO2-Ticket and return the Login-Name.
I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory.
Any ideas ? Maybe comments by Jens or Shane ?
Regards, Dirk
I'm not sure this could work for you... I've tried integrating Zope with an SSO system, which did not provide any authentication other than setting a correct REMOTE_USER in the REQUEST (we did it behind Apache). We succeded by subclassing CookieCrumbler so that it was able to deal with those situations. Also, we were working with Zope in Remote User Mode. I can provide the code, if necessary. Regards Marco
we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and CookieCrumbler in use.
One of our next goals is to integrate the Single-Sign-On-Ticket feature of SAP-Portal.
SAP sent a cookie called MYSAPSSO2 which contains a certified signature and the Login-Name of a user.
Normally the Login-Name will be validated by LDAPUserFolder with password against LDAP-Directory and the roles of the user will be assigned to the user object.
We have now an external web-service which can validate the MYSAPSSO2-Ticket and return the Login-Name.
I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory.
I would suggest looking at PAS. You would write an "extraction" plugin for PAS, and use the PAS LDAPMultiPlugin (from dataflake) for user properties and role/group enumeration. Your PAS plugin then only has the job of creating a "user id" suitable for use with the LDAP plugin (ie, the same 'id' that LDAPUF is configured to use). PAS has had a number of recent changes - you should look at the CVS versions (of PAS and the dataflake stuff) rather than the released versions if you want to avoid migration work in the future. http://www.zope.org/Members/urbanape/PluggableAuthService mailing list at: http://mail.zope.org/mailman/listinfo/zope-pas Mark
participants (4)
-
Dirk Datzert -
Jens Vagelpohl -
Marco Bizzarri -
Mark Hammond