Hi, I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative? TIA, Fernando Martins
--On 30. März 2006 21:16:09 +0200 Fernando Martins <fernando@cmartins.demon.nl> wrote:
Hi,
I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative?
As documented: Zope as standalone server + an optional reverse proxy (Squid/Apache). But no idea how this would solve a SSO issue. -aj ----------------------------------------------------------------------- - Andreas Jung ZOPYX Ltd. & Co KG - - E-mail: info@zopyx.com Web: www.zopyx.com, www.zopyx.de - -----------------------------------------------------------------------
Hi,
I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative?
As documented: Zope as standalone server + an optional reverse proxy (Squid/Apache). But no idea how this would solve a SSO issue.
-aj
Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope. Fernando
On 3/30/06, Fernando Martins <fernando@cmartins.demon.nl> wrote:
Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope.
Yale made a system called CAS, that workes fine for SSO. It's simple and secure and easy to implement. My PAS plugin is available at http://www.zope.org/Members/regebro . I have a CookieCrumbler type thingy somewhere too. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/
Lennart Regebro wrote:
On 3/30/06, Fernando Martins <fernando@cmartins.demon.nl> wrote:
Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope.
Yale made a system called CAS, that workes fine for SSO. It's simple and secure and easy to implement.
My PAS plugin is available at http://www.zope.org/Members/regebro . I have a CookieCrumbler type thingy somewhere too.
Interesting to know about, but it seems to be restricted to web sso, whereas I had in mind sso including the workstation login. It seems to be a full authentication mechanism on its own and it doesn't integrate with existing authentication systems, right? (no NTLM and it uses kerberos but on it's own) Thanks, Fernando
On 3/31/06, Fernando Martins <fernando@cmartins.demon.nl> wrote:
Interesting to know about, but it seems to be restricted to web sso, whereas I had in mind sso including the workstation login.
Ah. I dont know how (or if) you do that with CAS.
It seems to be a full authentication mechanism on its own and it doesn't integrate with existing authentication systems, right? (no NTLM and it uses kerberos but on it's own)
It can use NTML as well, it's just a question of how you validate the username and password. But it still means dual logins. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/
You may want to contact Netsight(.co.uk), they have a working NTLM auth system for Zope/Plone. It's not gratis though, AFAIK. It's also possible to use ActiveDirectory for both Windows and Zope (via LDAPUserFolder). Stefan On 31. Mär 2006, at 09:03, Fernando Martins wrote:
Interesting to know about, but it seems to be restricted to web sso, whereas I had in mind sso including the workstation login. It seems to be a full authentication mechanism on its own and it doesn't integrate with existing authentication systems, right? (no NTLM and it uses kerberos but on it's own)
Thanks, Fernando
-- Anything that happens, happens. --Douglas Adams
Stefan H. Holek wrote:
You may want to contact Netsight(.co.uk), they have a working NTLM auth system for Zope/Plone. It's not gratis though, AFAIK. It's also possible to use ActiveDirectory for both Windows and Zope (via LDAPUserFolder).
*mumble* *mumble* It works about 95% of the time. NTLM is the devils own faeces, avoid like the plague unless you're gonna get IIS to do the actual authentication... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Fernando Martins wrote at 2006-3-30 22:08 +0200:
I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative?
As documented: Zope as standalone server + an optional reverse proxy (Squid/Apache). But no idea how this would solve a SSO issue.
-aj
Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope.
In principle, the rewrite rules allow to specify environment extensions. When I remember right, you use an "E=..." in the "[P, ...]" to call for such an extension. -- Dieter
Dieter Maurer wrote:
Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope.
In principle, the rewrite rules allow to specify environment extensions. When I remember right, you use an "E=..." in the "[P, ...]" to call for such an extension.
Indeed, I also looked into mod_rewrite (which I'm using anyway) and I realised I could put the user id into the URL with %{LA-U:REMOTE_USER}. That's a special case of %{ NAME_OF_VARIABLE }, required because "this variable is set by the authorization phases which come after the URL translation phase where mod_rewrite operates". The problem is that I have no knowledge of zope internals, including VHM. And not much time (or money) to fix it. Any idea if it would be a simple matter of patching RemotUserFolder or would it require additional patching to VHM, etc? If feasible, this could indeed be a nice solution, only with positive impact (get rid of FastCGI). Regards, Fernando
Dieter Maurer wrote:
Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope.
In principle, the rewrite rules allow to specify environment extensions. When I remember right, you use an "E=..." in the "[P, ...]" to call for such an extension.
Actually, I see now you are referring to the substitution flags. This is indeed env|E=VAR:VAL but the idea is to set an environmental variable which "can be later dereferenced in many situations, but usually from within XSSI (via <!--#echo var="VAR"-->) or CGI (e.g. $ENV{'VAR'})." But, unless I'm missing something, this solution hits the problem that environment variables are not passed into zope (except through FastCGI). Regards, Fernando
On Sat, Apr 01, 2006 at 03:20:22PM +0200, Fernando Martins wrote:
Dieter Maurer wrote:
Yes, I understand the alternative to FastCGI, but mod_proxy doesn't pass the required environmental variable REMOTE_USER to zope. I was asking about single sign-on alternatives for Zope.
In principle, the rewrite rules allow to specify environment extensions. When I remember right, you use an "E=..." in the "[P, ...]" to call for such an extension.
Actually, I see now you are referring to the substitution flags. This is indeed env|E=VAR:VAL but the idea is to set an environmental variable which "can be later dereferenced in many situations, but usually from within XSSI (via <!--#echo var="VAR"-->) or CGI (e.g. $ENV{'VAR'})." But, unless I'm missing something, this solution hits the problem that environment variables are not passed into zope (except through FastCGI).
I've never tried those apache flags; but you might have a look in zope's REQUEST.environ mapping ... maybe it Just Works? *shrug* -- Paul Winkler http://www.slinkp.com
On 3/30/06, Fernando Martins <fernando@cmartins.demon.nl> wrote:
Hi,
I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative?
FastCGI is deprecated, but it still can be used, correct? I also use it to pass REMOTE_USER from Apache to Zope (in a Shibboleth set-up), and nobody has given me an alternative using rewrite and proxy.
Robert Boyd wrote:
FastCGI is deprecated, but it still can be used, correct? I also use it to pass REMOTE_USER from Apache to Zope (in a Shibboleth set-up), and nobody has given me an alternative using rewrite and proxy.
Well, you'll get a warning of the deprecation at start time. That's all, I believe. But since it is deprecated, bug fixing/improvements will not be done, like this one: "filestream_iterator handling is not implemented for FastCGI protocol", see http://www.zope.org/Collectors/Zope/1647 Furthermore, I have another annoying problem with the current setup. I provide some files from the file system, through LocalFS, but it doesn't work with Apache+NTLM+FastCGI. Rather than getting the file I get the description of the object, like <open file '/work/docs/MyFile.PDF', mode 'rb' at 0x42310974> Regards, Fernando
Fernando Martins wrote:
Hi,
I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative?
TIA, Fernando Martins
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Fernando, during the next 4 weeks we will be prototyping a site. One of the request we have to meet is SSO using Active Directory to manage the users. One of the request we *should* meet (I declined to commit ourselfs for this feature) is that a user when logged into Windows she is automaticaly logged into Plone. The server is running on a Linux box (SuSE 9.3 or later) No idea yet whether this is possible yet, and I have read all related info with interest. If you like we can try to join forces. Robert
robert rottermann wrote:
Fernando Martins wrote:
Hi,
I'm doing single sign-on using Apache+mod_ntlm+FastCGI. Since the last is deprecated, is there any alternative?
TIA, Fernando Martins
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Fernando, during the next 4 weeks we will be prototyping a site. One of the request we have to meet is SSO using Active Directory to manage the users. One of the request we *should* meet (I declined to commit ourselfs for this feature) is that a user when logged into Windows she is automaticaly logged into Plone. The server is running on a Linux box (SuSE 9.3 or later) No idea yet whether this is possible yet, and I have read all related info with interest. If you like we can try to join forces.
Robert
_
Robert, You can python + COM your way to a browser startup zope/plone login screen. I cannot see how you automate the authentication of a given browser instance that is then handed to your users. Maybe someone will correct this. If so everyone's happy. Of course, you could make your plone site anonymous if you feel your secure by the time they get there. David
during the next 4 weeks we will be prototyping a site. One of the request we have to meet is SSO using Active Directory to manage the users. One of the request we *should* meet (I declined to commit ourselfs for this feature) is that a user when logged into Windows she is automaticaly logged into Plone. The server is running on a Linux box (SuSE 9.3 or later) No idea yet whether this is possible yet, and I have read all related info with interest. If you like we can try to join forces.
Hi! I think you should take a loot at CAS (Central Authentication Service), there are few user folders for Zope that can use this. The idea of automatic logon to plone may be possibly done with CAS and ActiveDirectory or maybe with X509 certificates, tokens or such things. -- Maciej Wisniowski
David H wrote:
Robert,
You can python + COM your way to a browser startup zope/plone login screen. I cannot see how you automate the authentication of a given browser instance that is then handed to your users.
Hmm, that's not automation in this sense. The user logins into the workstation (Windows, don't know about unix), the user opens the browser and accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will then send authentication information to the Intranet server using the NTLM protocol. The web server (Apache with NTLM module) checks with some internal Domain server and sets the environmental variable REMOTE_USER. This is then sent to a CGI or FastCGI app (zope with FastCGI).
Maybe someone will correct this. If so everyone's happy.
Yes, local Intranet users love this, one less login, automatic recognition, personalisation, instant gratification,... ;-) Cheers, Fernando
En/na Fernando Martins ha escrit:
David H wrote:
Robert,
You can python + COM your way to a browser startup zope/plone login screen. I cannot see how you automate the authentication of a given browser instance that is then handed to your users.
Hmm, that's not automation in this sense. The user logins into the workstation (Windows, don't know about unix), the user opens the browser and accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will then send authentication information to the Intranet server using the NTLM protocol. The web server (Apache with NTLM module) checks with some internal Domain server and sets the environmental variable REMOTE_USER. This is then sent to a CGI or FastCGI app (zope with FastCGI).
Maybe someone will correct this. If so everyone's happy.
Yes, local Intranet users love this, one less login, automatic recognition, personalisation, instant gratification,... ;-)
It seems it is possible but a little convoluted. WARNING this has only had very limited testing and it's *not* in production (and I'm not sure it will ever be). The first hurdle is that with the proxying configuration (RewriteRule with the P flag) ntlm_mod sends "Proxy-Authenticate" instead of "WWW-Authenticate" and it didn't work, so the first thing I needed to do was to modify ntlm_mod.c to always request "WWW-Authenticate" (easy to do, just find any instance of "r->proxyreq" and change it to "r->proxyreq && 0". I didn't see this reported anywhere, so it could just be my local setup with apache 2. Then in Apache I used the RequestHeader directive to add the remote user to the request *and* the E option in the RewriteRule to put the remote user in the environment (so that RequestHeader works), i.e. (zope is served here under the test directory "t"): <Location /t/> AuthName "A Protected Place" AuthType NTLM NTLMAuth On NTLMAuthoritative on NTLMDomain YOURDOMAIN NTLMServer yourhost NTLMBasicAuth on NTLMBasicRealm YOURREALM require valid-user RequestHeader set REMOTE_USER %{REMOTE_USER}e </Location> RewriteCond %{SERVER_PORT} ^443$ RewriteCond %{HTTP_HOST} !443$ RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}:443/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}] RewriteCond %{SERVER_PORT} ^443$ RewriteCond %{HTTP_HOST} 443$ RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}] RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^/t/(.*) http://localhost:10080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/_vh_t/$1 [L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}] (note that this contortion with ssl may be due, again, to my setup. Note also that I didn't manage to make ntlm+ssl work with internet explorer, it works fine with firefox). At this point zope should see an additional header REMOTE_USER (with the consequent security risk: you should make sure that nobody can directly access zope otherwise they can fake this header and pose as any user) which is available in request.environ as HTTP_REMOTE_USER. Then it's just a matter of using PAS with the SharkbyteSSOPlugin (http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured to use HTTP_REMOTE_USER. I'd suggest to change userid = request.get(self.uservar) to userid = request.environ.get(self.uservar) for a little more security - not that this setup seems really secure to me anyway, but I'm not a security expert ;-) Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007
En/na Luca Olivetti ha escrit:
At this point zope should see an additional header REMOTE_USER (with the consequent security risk: you should make sure that nobody can directly access zope otherwise they can fake this header and pose as any user) which is available in request.environ as HTTP_REMOTE_USER.
Then it's just a matter of using PAS with the SharkbyteSSOPlugin (http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured to use HTTP_REMOTE_USER.
I'd suggest to change
userid = request.get(self.uservar)
to
userid = request.environ.get(self.uservar)
for a little more security - not that this setup seems really secure to me anyway, but I'm not a security expert ;-)
Ok, useless suggestion, since Zope request does "the right thing": 1)it will search in the environment before searching in the form and 2)it'll strip any form variable that starts with 'HTTP_' Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007
participants (12)
-
Andreas Jung -
Chris Withers -
David H -
Dieter Maurer -
Fernando Martins -
Lennart Regebro -
Luca Olivetti -
Maciej Wisniowski -
Paul Winkler -
Robert Boyd -
robert rottermann -
Stefan H. Holek