[Zope3-Users] Re: apache as zope3's frontend and NTLM

Philipp von Weitershausen philipp at weitershausen.de
Sat Nov 12 14:28:26 EST 2005

Simon Hang wrote:
> Dear all,
> I'm trying to use apache as zope3's frontend, and do NTLM authentication
> as well.

Well, traditionally it's been part of Zope's responsibility to do
credentials extraction and user authentication. That doesn't mean it
couldn't be done by the webserver in front of Zope; there might just be
other implications that you and I can't think of ;).

> I've done:
> 1. Installed mod_ntlm for apache 1.3, and tested.
> 2. Create a VirtualHost for zope3 instance, forwarding http request
> using rewrite engine. And tested.
> Now I try to put things together => A virtualhost can do NTLM
> authentication and forward request to zope3, my virtual configration of
> apache as below:
> <VirtualHost *:808>
>     DocumentRoot c:/myroot
>     Servername myserver
>     ErrorLog logs/myerror.log
>     CustomLog logs/myaccess.log common
>     RewriteEngine On
>     RewriteRule ^(/?.*)
> http://localhost:8080/++vh++http:myserver:808/++$1 [P,L]
>     <Location "/">
>         <IfModule mod_ntlm.c>
>             AuthName "realm"
>             AuthType NTLM
>             NTLMAuth On
>             NTLMAuthoritative On
>             NTLMDomain mydomain
>             NTLMOfferBasic Off
>             NTLMBasicPreferred Off
>             require valid-user
>         </IfModule>
>     </Location>
> </VirtualHost>
> Everytime I try to access the page, the brower show me error message as
> below:
>   Authorization Required
> This server could not verify that you are authorized to access the
> document requested. Either you supplied the wrong credentials (e.g., bad
> password), or your browser doesn't understand how to supply the
> credentials required.
> What's wrong in my settings?

Well, Zope 3 doesn't care that Apache has authenticated your user. It
doesn't see that. If you want the Zope 3 security system to interact
with Apache's, here's a suggestion (not sure if it'll actually work):

- Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
the "E" flag at the end of rewrite rule:


- Have a custom ICredentialsPlugin that's simply looks at this env
variable in the request for the log-in credentials. To challenge the
user for authentication, it would simply use the same authentication
realm as set in the apache.conf, so that it gets picked up by Apache
when the user provides the credentials.

- Have a custom IAuthenticatorPlugin that uses the credential data of
the former plug-in to create a principal object from it. It wouldn't
really need to do any actual authentication because that had already
been done by Apache. The only thing this plug-in needs to do is convert
the credentials data into an actual principal object.

Hope that helps.


More information about the Zope3-users mailing list