[Zope-PAS] Re: using Session Auth Helper, sequence of active plugins

Tres Seaver tseaver at palladion.com
Tue Apr 10 18:17:33 EDT 2007

Hash: SHA1

robert rottermann wrote:
> Hi there,
> I would like to use Session Auth Helper to authenticate a user after he
> has logged into a site using Active Directory.
> this are the steps I use to create the setup:
> - add an ActiveDirectory Multiplugin
>     - activate all services
> - apply patches to have the groups working
>     according instructions on Plone I install
>         LDAPMultiPlugins-plone.org.patch from antiloop.plone.org
> - add an Session Auth Helper
>     - activate all three services (Reset Credentials, UpdateCredentials,
> Extraction)
> - Up the session timeout of the site to 5 hours
> Now my questions:
> - do I have to change the sequence of the active plugins to avoid
> contacting the AD server after a successful login

>   (as long the session is active)
>     it is like this now
>         credentials_cookie_auth
>        AD Multiplugin
>        Session Auth Helper
> - is there something else I have to take care of?

Yes, you want the session auth plugin to be registered *ahead* of the AD
/ LDAP plugin, in the registration for IAuthenticateCredentials.  That
list looks like the one for IExtractCredentials (the cookie plugin can't
actually authenticate, it only retrieves credentials from the request).

- --
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Zope-PAS mailing list