[Zope3-Users] Re: apache as zope3's frontend and NTLM

Sat Nov 12 14:36:27 EST 2005

Philipp von Weitershausen wrote:
> Simon Hang wrote:
> 
>>Dear all,
>> 
>>I'm trying to use apache as zope3's frontend, and do NTLM authentication
>>as well.
> 
> 
> Well, traditionally it's been part of Zope's responsibility to do
> credentials extraction and user authentication. That doesn't mean it
> couldn't be done by the webserver in front of Zope; there might just be
> other implications that you and I can't think of ;).
> 
> 
>>I've done:
>>1. Installed mod_ntlm for apache 1.3, and tested.
>>2. Create a VirtualHost for zope3 instance, forwarding http request
>>using rewrite engine. And tested.
>> 
>>Now I try to put things together => A virtualhost can do NTLM
>>authentication and forward request to zope3, my virtual configration of
>>apache as below:
>> 
>><VirtualHost *:808>
>>    DocumentRoot c:/myroot
>>    Servername myserver
>>    ErrorLog logs/myerror.log
>>    CustomLog logs/myaccess.log common
>>    RewriteEngine On
>>    RewriteRule ^(/?.*)
>>http://localhost:8080/++vh++http:myserver:808/++$1 [P,L]
>>    <Location "/">
>>        <IfModule mod_ntlm.c>
>>            AuthName "realm"
>>            AuthType NTLM
>>            NTLMAuth On
>>            NTLMAuthoritative On
>>            NTLMDomain mydomain
>>            NTLMOfferBasic Off
>>            NTLMBasicPreferred Off
>>            require valid-user
>>        </IfModule>
>>    </Location>
>></VirtualHost>
>> 
>>Everytime I try to access the page, the brower show me error message as
>>below:
>>
>>
>>  Authorization Required
>>
>>This server could not verify that you are authorized to access the
>>document requested. Either you supplied the wrong credentials (e.g., bad
>>password), or your browser doesn't understand how to supply the
>>credentials required.
>> 
>>What's wrong in my settings?
> 
> 
> Well, Zope 3 doesn't care that Apache has authenticated your user. It
> doesn't see that. If you want the Zope 3 security system to interact
> with Apache's, here's a suggestion (not sure if it'll actually work):
> 
> - Have Apache forward the REMOTE_USER CGI env variable, e.g. by using
> the "E" flag at the end of rewrite rule:
> 
>   [P,L,E=REMOTE_USER:%{REMOTE_USER}]

Will that really work? env variables are only useful in CGI mode, but 
proxying doesn't involve CGI. Rather I'd advise using additional 
parameters to the URL, like we do here for Zope 2 for instance:

http://svn.nuxeo.org/trac/pub/file/CMFNtlmSso/trunk/doc/vhost_sso.conf

> - Have a custom ICredentialsPlugin that's simply looks at this env
> variable in the request for the log-in credentials. To challenge the
> user for authentication, it would simply use the same authentication
> realm as set in the apache.conf, so that it gets picked up by Apache
> when the user provides the credentials.

And this plugin would have to get the credentials from the URL instead 
of the env variable. I wish apache had a proper way to add request 
headers during proxying...

Florent

> 
> - Have a custom IAuthenticatorPlugin that uses the credential data of
> the former plug-in to create a principal object from it. It wouldn't
> really need to do any actual authentication because that had already
> been done by Apache. The only thing this plug-in needs to do is convert
> the credentials data into an actual principal object.
> 
> Hope that helps.
> 
> Philipp

-- 
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com