En/na Fernando Martins ha escrit:
David H wrote:
Robert,
You can python + COM your way to a browser startup zope/plone login screen. I cannot see how you automate the authentication of a given browser instance that is then handed to your users.
Hmm, that's not automation in this sense. The user logins into the workstation (Windows, don't know about unix), the user opens the browser and accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will then send authentication information to the Intranet server using the NTLM protocol. The web server (Apache with NTLM module) checks with some internal Domain server and sets the environmental variable REMOTE_USER. This is then sent to a CGI or FastCGI app (zope with FastCGI).
Maybe someone will correct this. If so everyone's happy.
Yes, local Intranet users love this, one less login, automatic recognition, personalisation, instant gratification,... ;-)
It seems it is possible but a little convoluted. WARNING this has only had very limited testing and it's *not* in production (and I'm not sure it will ever be). The first hurdle is that with the proxying configuration (RewriteRule with the P flag) ntlm_mod sends "Proxy-Authenticate" instead of "WWW-Authenticate" and it didn't work, so the first thing I needed to do was to modify ntlm_mod.c to always request "WWW-Authenticate" (easy to do, just find any instance of "r->proxyreq" and change it to "r->proxyreq && 0". I didn't see this reported anywhere, so it could just be my local setup with apache 2. Then in Apache I used the RequestHeader directive to add the remote user to the request *and* the E option in the RewriteRule to put the remote user in the environment (so that RequestHeader works), i.e. (zope is served here under the test directory "t"): <Location /t/> AuthName "A Protected Place" AuthType NTLM NTLMAuth On NTLMAuthoritative on NTLMDomain YOURDOMAIN NTLMServer yourhost NTLMBasicAuth on NTLMBasicRealm YOURREALM require valid-user RequestHeader set REMOTE_USER %{REMOTE_USER}e </Location> RewriteCond %{SERVER_PORT} ^443$ RewriteCond %{HTTP_HOST} !443$ RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}:443/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}] RewriteCond %{SERVER_PORT} ^443$ RewriteCond %{HTTP_HOST} 443$ RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}] RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}] (note that this contortion with ssl may be due, again, to my setup. Note also that I didn't manage to make ntlm+ssl work with internet explorer, it works fine with firefox). At this point zope should see an additional header REMOTE_USER (with the consequent security risk: you should make sure that nobody can directly access zope otherwise they can fake this header and pose as any user) which is available in request.environ as HTTP_REMOTE_USER. Then it's just a matter of using PAS with the SharkbyteSSOPlugin (http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured to use HTTP_REMOTE_USER. I'd suggest to change userid = request.get(self.uservar) to userid = request.environ.get(self.uservar) for a little more security - not that this setup seems really secure to me anyway, but I'm not a security expert ;-) Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007