apache authentication with proxy -- remote user mode
hello all has anybody got this working: apache with as a proxy should do authentication zope is in remote user mode (as described in the docs, by leaving out the password after the collon in the "access" file) the apache server authenticates succesfully and in the z2.log file i see that the remote_user variable is passed over, but zope always wants to switch back to normal user authentication and wants credentials. (btw. the user is existent in the root user folder) is it possible, that this is a proxy problem, do i need to pass additional information? tia, bernd
zope-mailinglist writes:
the apache server authenticates succesfully and in the z2.log file i see that the remote_user variable is passed over, but zope always wants to switch back to normal user authentication and wants credentials. (btw. the user is existent in the root user folder)
is it possible, that this is a proxy problem, do i need to pass additional information? I think it is possible.
You need to put Zope in "_remote_user_mode". Look at "AccessControl/User" for how to do that... Dieter
Dieter Maurer wrote:
zope-mailinglist writes:
the apache server authenticates succesfully and in the z2.log file i see that the remote_user variable is passed over, but zope always wants to switch back to normal user authentication and wants credentials. (btw. the user is existent in the root user folder)
is it possible, that this is a proxy problem, do i need to pass additional information? I think it is possible.
You need to put Zope in "_remote_user_mode". Look at "AccessControl/User" for how to do that...
Dieter
thanks for your reply sorry, forgot to state that zope already runs in _remote_user_mode the problem seems to be that zope looks in request.environ['REMOTE_USER'] which is not present in the zope process, only in the apache process -- seems that remote_user_mode is only for cgi mode, where apache passes its environment variables to the cgi. i found out that i need request._auth this is the base64 encoded user:pw string i tried it out by changing the source of User.py like this: replace: name = request.environ.get('REMOTE_USER', None) with: name = self.identify(request._auth)[0] ... and it works, but that can only be a temporary solution. the problem is that if i do this, users can easily be faked by just using another apache proxy which authenticates users with the same name. therefore a domain restriction needs to be applied. maybe this is a new feature for zope such as "proxy_authentication_mode". i think i have to subclass UserFolder and User and then provide the apropriate validate method is there another solution? tia, bernd
... and it works, but that can only be a temporary solution. the problem is that if i do this, users can easily be faked by just using another apache proxy which authenticates users with the same name. therefore a domain restriction needs to be applied.
This temporary solution can be made more secure by using your favorite of ipchains/iptables/pf/ipfilter/similar on the Zope box to allow access to the Zope port from your Apache a.b.c.d/32 proxy address only. You can still access Zope directly if necessary by port forwarding over SSH or similar. Adam
zope-mailinglist writes:
... sorry, forgot to state that zope already runs in _remote_user_mode the problem seems to be that zope looks in request.environ['REMOTE_USER'] which is not present in the zope process, only in the apache process -- seems that remote_user_mode is only for cgi mode, where apache passes its environment variables to the cgi. Tell Apache to pass the "REMOTE_USER" information.
Apache "Rewrite" rules provide provisions to set environment variables. Look at the "Rewrite rule" documentation. Dieter
participants (3)
-
Adam Manock -
Dieter Maurer -
zope-mailinglist