ldap authentication with apache or LDAPUserFolder?
As some of you know, I am working on an installation of Zope/Zwiki. What I have inherited is a 2.5.1 Zope/Zwiki on a Debian box. I am wanting to move the data from the 2.5.1 to a 2.8. But here's the situation. At the root of the 2.5.1 install there is an acl_users folder that appears to be the LDAPUserFolder authentication mechanism. However, upon looking at the apache config on my Debian box you see this: <VirtualHost X.X.org:80> <location /Zope> AuthName "Knowledge Access" AuthType Basic AuthLDAPURL ldap://X.X.org:389/o=X.org?uid?sub?(objectClass=person) require group cn=caitstaff,ou=Groups,o=X.org </location> DocumentRoot /var/www ServerName X.X.org RedirectMatch ^/$ /Zope/ RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope/(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l] </VirtualHost> I am trying to figure out what is authenticating the user, LDAPUserFolder or the AuthLDAP in Apache? In the root folder of the 2.5.1 install, there is our knowledge folder, argyle, inventory, a public folder. Those are the custom folders we created. The Zope install folders are the control panel, temp_folder, Tutorial, test. There is an acl_users folder, but it is not the original and has the LDAPUserFolder configuration in it. After authentication, the user is directed to the index_html which is in the root folder. The links present on this page point to our available knowledge bases (the custom folders we created). As well, it has a manage Zope link. Only certain users can access this link. Anyone authenticated to the knowledge bases though, can add, edit or delete content. This is the preferred method of this application as we want all users here to be able to openly collaborate. I need to authenticate the same way on the new install as the old one. Here is the dilemma though. On the new install of 2.8, it rests on an RHEL4 server. On this apache, I have to use authZLDAP as there is a documented bug with RedHat for the AuthLDAP. There are years of data collected in this knowledge base that I don't want to lose. So I am being about as careful as I can be...maybe too careful. So, question wise...I am wondering what authentication to use. I know that LDAPUserFolder appears to be the way to go, but I don't know if that is what is actually happening. By the looks of the above apache configuration, could there be some sort of redirection happening? Tim
On 11 Jul 2005, at 17:00, Tim Suter wrote:
As some of you know, I am working on an installation of Zope/Zwiki. What I have inherited is a 2.5.1 Zope/Zwiki on a Debian box. I am wanting to move the data from the 2.5.1 to a 2.8. But here's the situation.
<snip half a mile of stuff> Why don't you just *try* different combinations and see what happens? Like, comment out the Apache AuthLDAP stuff and see what happens. jens
What I suspect is that you are working with Zope in Remote User Mode. You can verify this in a very quick way, by looking at your instance home directory and checking if the access file contains a line like 'admin:' or 'super:' or whatever, but with no password. Regards Marco Tim Suter wrote:
As some of you know, I am working on an installation of Zope/Zwiki. What I have inherited is a 2.5.1 Zope/Zwiki on a Debian box. I am wanting to move the data from the 2.5.1 to a 2.8. But here's the situation.
At the root of the 2.5.1 install there is an acl_users folder that appears to be the LDAPUserFolder authentication mechanism. However, upon looking at the apache config on my Debian box you see this:
<VirtualHost X.X.org:80> <location /Zope> AuthName "Knowledge Access" AuthType Basic AuthLDAPURL ldap://X.X.org:389/o=X.org?uid?sub?(objectClass=person) require group cn=caitstaff,ou=Groups,o=X.org </location> DocumentRoot /var/www ServerName X.X.org
RedirectMatch ^/$ /Zope/ RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope/(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
</VirtualHost>
I am trying to figure out what is authenticating the user, LDAPUserFolder or the AuthLDAP in Apache?
In the root folder of the 2.5.1 install, there is our knowledge folder, argyle, inventory, a public folder. Those are the custom folders we created. The Zope install folders are the control panel, temp_folder, Tutorial, test. There is an acl_users folder, but it is not the original and has the LDAPUserFolder configuration in it.
After authentication, the user is directed to the index_html which is in the root folder. The links present on this page point to our available knowledge bases (the custom folders we created). As well, it has a manage Zope link. Only certain users can access this link. Anyone authenticated to the knowledge bases though, can add, edit or delete content. This is the preferred method of this application as we want all users here to be able to openly collaborate.
I need to authenticate the same way on the new install as the old one. Here is the dilemma though. On the new install of 2.8, it rests on an RHEL4 server. On this apache, I have to use authZLDAP as there is a documented bug with RedHat for the AuthLDAP.
There are years of data collected in this knowledge base that I don't want to lose. So I am being about as careful as I can be...maybe too careful.
So, question wise...I am wondering what authentication to use. I know that LDAPUserFolder appears to be the way to go, but I don't know if that is what is actually happening. By the looks of the above apache configuration, could there be some sort of redirection happening?
Tim
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Jens Vagelpohl -
Marco Bizzarri -
Tim Suter