[Zope] PAS and SSO pubcookie question

cristopher pierson ewing cewing at u.washington.edu
Thu Nov 16 16:10:00 EST 2006


Hi all,

I'm a newbie to zope, working on installing a plone website for the 
radiology department at the University of Washington.  I want to use SSO 
so that my content creators don't need to remember additional login/passwd 
for my site.

I've been working on getting apache proxying and pubcookie authentication 
to work with Zope (2.9.4? installed via the plone 2.5.1 installer and also 
by hand).  Instructions for doing this can be found at 
http://www.washington.edu/webinfo/case/zope/

So far, the apache proxy and mod_pubcookie parts of the puzzle seem to be 
working just fine.  I can protect a directory with AuthType UWNetID and 
all works as expected, and the proxy rewrites I've generated seem to be 
redirecting traffic from my port 80 apache instance to my zope instance as 
expected.  Logging in at the pubcookie login server also works, but when 
I'm redirected back to my zope instance, I am prompted for a 
login/password, and no matter what I give, I am locked out.

I have been able to log in to my zope instance via localhost:8080/manage, 
and when I've added the 'access' file with my username, a colon, and a 
newline, no password is required to login.  So I think the 
'RemoteUserAuth' plugin described at the above site is working correctly.

I have debugged the interaction from the apache side as far as I am able, 
and I know that the appropriate headers are being sent to zope via the 
mod_fba module in apache.  What I can't do, and what I need help with, is 
debugging the zope half of this interaction.

I don't fully grasp the way that user authentication works in zope.  I'm 
not sure where to begin to look for the problem here, and I'm hoping 
someone can help.  I'm a python newbie, so I might need a little 
hand-holding, but I'm an experienced programmer, and willing to do pretty 
much anything to figure this one out.  The success of my plone site really 
depends on it.

The expected behavior is that mod_fba sets an authorization header with a 
username from pubcookie and sends it to zope with a page request for the 
ZMI.  Zope is supposed to enter _remote_user_mode (as I understand it) 
because I've provided the 'access' file, and then set the credential name 
using that header.  Zope then uses that name for authorization, taking for 
granted that it has been authenticated, and not checking passwords.

This appears to be happening correctly when I try to directly access the 
ZMI via localhost:8080/manage.  I can give a user name and no password and 
am logged in as expected.

However, when I try to access the ZMI via apache (http://myhost.com/manage
which gets rewritten to http://localhost:8080/manage in apache proxy), I 
am prompted via basic auth for username and password, and anything I enter 
is rejected.

Can anyone help me to figure out how I can debug the interaction here? 
Perhaps taking a look at the headers that apache is supposed to be sending 
once they arrive in zope?  Any other suggestions would be wholly and 
warmly welcomed.

Thanks for anything you might offer,

Cris

********************************
Cris Ewing
CME and Telehealth Web Services
Department of Radiology Web Services
University of Washington
School of Medicine
Work Phone: (206) 685-9116
Home Phone: (206) 365-3413
E-mail: cewing at u.washington.edu
*******************************



More information about the Zope mailing list