[Zope] PAS and SSO pubcookie question

Maciej Wisniowski maciej.wisniowski at coig.katowice.pl
Thu Nov 16 16:44:58 EST 2006


> I have been able to log in to my zope instance via
> localhost:8080/manage, and when I've added the 'access' file with my
> username, a colon, and a newline, no password is required to login.  So
> I think the 'RemoteUserAuth' plugin described at the above site is
> working correctly.
I don't know this kind of SSO. Seems to be complicated.
CACSiteRoot and RemoteUserAuth I don't know any of these... Think it
will be difficult to help you until there is somebody that used those
things, but maybe I'm wrong :)

> I don't fully grasp the way that user authentication works in zope.  I'm
> not sure where to begin to look for the problem here, and I'm hoping
> someone can help. 
You may read about Zope Security system on plope.org in Zope Book 2.7
edition.

You may want to take look at error_log, and maybe remove unauthorized
from the list of omited exceptions there. Additionally you may want to
enable VerboseSecurity in zope.conf. AFAIR you need to uncomment:

SecurityPolicyImplementation Python
VerboseSecurity On

Maybe then you'll see more informations.


And how to debug zope part of authentication... You may possibly take a
look at the sources of RemoteUserAuth. It is possibly something with
that. Simplest debugging may be done by adding

print 'hello - im here!'

statements to the RemoteUserAuth code, and then running Zope with
./runzope (or runzope.bat on Windows). It doesn't detach from console
and you'll see your printed statements. You may also use pdb - python
debugger:

http://plone.org/documentation/how-to/using-pdb



> However, when I try to access the ZMI via apache
> (http://myhost.com/manage which gets rewritten to
> http://localhost:8080/manage in apache proxy), I am prompted via basic
> auth for username and password, and anything I enter is rejected.
Typically apache rewrites make use of VirtualHostMonster in Zope
but your's how to uses different syntax.


> The expected behavior is that mod_fba sets an authorization header with
> a username from pubcookie and sends it to zope with a page request for
> the ZMI.  
I don't understand why this SSO is about ZMI? ZMI is Zope Management
Interface - so it is rather for managers/programmers, not for typical
users. Strange.

We've sucessfully implemented SSO solution with CAS. There are nice
plugins for Zope and Plone to deal with this.

-- 
Maciej Wisniowski




More information about the Zope mailing list