[Zope] PAS and SSO pubcookie question
cristopher pierson ewing
cewing at u.washington.edu
Thu Nov 16 16:10:00 EST 2006
Hi all,
I'm a newbie to zope, working on installing a plone website for the
radiology department at the University of Washington. I want to use SSO
so that my content creators don't need to remember additional login/passwd
for my site.
I've been working on getting apache proxying and pubcookie authentication
to work with Zope (2.9.4? installed via the plone 2.5.1 installer and also
by hand). Instructions for doing this can be found at
http://www.washington.edu/webinfo/case/zope/
So far, the apache proxy and mod_pubcookie parts of the puzzle seem to be
working just fine. I can protect a directory with AuthType UWNetID and
all works as expected, and the proxy rewrites I've generated seem to be
redirecting traffic from my port 80 apache instance to my zope instance as
expected. Logging in at the pubcookie login server also works, but when
I'm redirected back to my zope instance, I am prompted for a
login/password, and no matter what I give, I am locked out.
I have been able to log in to my zope instance via localhost:8080/manage,
and when I've added the 'access' file with my username, a colon, and a
newline, no password is required to login. So I think the
'RemoteUserAuth' plugin described at the above site is working correctly.
I have debugged the interaction from the apache side as far as I am able,
and I know that the appropriate headers are being sent to zope via the
mod_fba module in apache. What I can't do, and what I need help with, is
debugging the zope half of this interaction.
I don't fully grasp the way that user authentication works in zope. I'm
not sure where to begin to look for the problem here, and I'm hoping
someone can help. I'm a python newbie, so I might need a little
hand-holding, but I'm an experienced programmer, and willing to do pretty
much anything to figure this one out. The success of my plone site really
depends on it.
The expected behavior is that mod_fba sets an authorization header with a
username from pubcookie and sends it to zope with a page request for the
ZMI. Zope is supposed to enter _remote_user_mode (as I understand it)
because I've provided the 'access' file, and then set the credential name
using that header. Zope then uses that name for authorization, taking for
granted that it has been authenticated, and not checking passwords.
This appears to be happening correctly when I try to directly access the
ZMI via localhost:8080/manage. I can give a user name and no password and
am logged in as expected.
However, when I try to access the ZMI via apache (http://myhost.com/manage
which gets rewritten to http://localhost:8080/manage in apache proxy), I
am prompted via basic auth for username and password, and anything I enter
is rejected.
Can anyone help me to figure out how I can debug the interaction here?
Perhaps taking a look at the headers that apache is supposed to be sending
once they arrive in zope? Any other suggestions would be wholly and
warmly welcomed.
Thanks for anything you might offer,
Cris
********************************
Cris Ewing
CME and Telehealth Web Services
Department of Radiology Web Services
University of Washington
School of Medicine
Work Phone: (206) 685-9116
Home Phone: (206) 365-3413
E-mail: cewing at u.washington.edu
*******************************
More information about the Zope
mailing list