[Zope] single sign-on

Fri Apr 7 05:07:05 EDT 2006

En/na Fernando Martins ha escrit:
> David H wrote:
>> Robert,
>>
>> You can python + COM your way to a browser startup zope/plone login
>> screen.  I cannot see how you automate the authentication of a given
>> browser instance that is then handed to your users.
>>
> 
> Hmm, that's not automation in this sense. The user logins into the
> workstation (Windows, don't know about unix), the user opens the browser and
> accesses an INTRANET page. The browser (IE or Firefox with NTLM setup) will
> then send authentication information to the Intranet server using the NTLM
> protocol. The web server (Apache with NTLM module) checks with some internal
> Domain server and sets the environmental variable REMOTE_USER. This is then
> sent to a CGI or FastCGI app (zope with FastCGI).
> 
>> Maybe someone will correct this.  If so everyone's happy.
> 
> Yes, local Intranet users love this, one less login, automatic recognition,
> personalisation, instant gratification,... ;-)

It seems it is possible but a little convoluted.
WARNING this has only had very limited testing and it's *not* in 
production (and I'm not sure it will ever be).

The first hurdle is that with the proxying configuration (RewriteRule 
with the P flag) ntlm_mod sends "Proxy-Authenticate" instead of 
"WWW-Authenticate" and it didn't work, so the first thing I needed to do 
was to modify ntlm_mod.c to always request "WWW-Authenticate" (easy to 
do, just find any instance of "r->proxyreq" and change it to 
"r->proxyreq && 0". I didn't see this reported anywhere, so it could 
just be my local setup with apache 2.

Then in Apache I used the RequestHeader directive to add the remote user 
to the request *and* the E option in the RewriteRule to put the remote 
user in the environment (so that RequestHeader works),
i.e. (zope is served here under the test directory "t"):

<Location /t/>
         AuthName "A Protected Place"
         AuthType NTLM
         NTLMAuth On
         NTLMAuthoritative on
         NTLMDomain YOURDOMAIN
         NTLMServer yourhost
         NTLMBasicAuth on
         NTLMBasicRealm YOURREALM
         require valid-user

         RequestHeader set REMOTE_USER %{REMOTE_USER}e
</Location>

RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} !443$
RewriteRule ^/t/(.*) 
http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}:443/VirtualHostRoot/_vh_t/$1 
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} 443$
RewriteRule ^/t/(.*) 
http://localhost:10080/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/_vh_t/$1 
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/t/(.*) 
http://localhost:10080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/_vh_t/$1 
[L,P,E=REMOTE_USER:%{LA-U:REMOTE_USER}]

(note that this contortion with ssl may be due, again, to my setup. Note 
also that I didn't manage to make ntlm+ssl work with internet explorer, 
it works fine with firefox).

At this point zope should see an additional header REMOTE_USER (with the 
consequent security risk: you should make sure that nobody can directly 
access zope otherwise they can fake this header and pose as any user) 
which is available in request.environ as HTTP_REMOTE_USER.

Then it's just a matter of using PAS with the SharkbyteSSOPlugin 
(http://dev.plone.org/collective/browser/SharkbyteSSOPlugin) configured 
to use HTTP_REMOTE_USER.

I'd suggest to change

    userid = request.get(self.uservar)

to

    userid = request.environ.get(self.uservar)

for a little more security - not that this setup seems really secure to 
me anyway, but I'm not a security expert ;-)

Bye
-- 
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004      Fax +34 93 5883007