Skip to main content

Authenticates requests coming from a reverse proxy doing user authentication.

Project description

Introduction

pas.plugins.trustedproxyauth is a PAS plugin for Plone/Zope2 which authenticates requests coming from a trusted reverse proxy where the user name is provided by a HTTP header.

The idea is to delegate user authentication to a reverse proxy (e.g. Apache with mod_auth_kerb) which is placed in front of the Zope instance. For any request coming from the reverse proxy, the user name is extracted from a HTTP header (typically X_REMOTE_USER) that was set by the authenticating proxy server.

Installation

  • Add pas.plugins.trustedproxyauth to the list of eggs in your buildout. Then rerun buildout and restart your instance.

  • In the ZMI go to your acl_users folder and select Trusted Proxy Authentication from the Add menu.

  • Activate the Authentiation and Extraction functionality on the Activate tab. You may want to change the order of the extraction and authentication plugins by moving Trusted Proxy Authentication on top.

Options

The following mandatory settings must be configured:

Trusted Proxy IPs

Specify the ip address of your reverse proxy here. Only requests coming from a trusted ip will be considered for user name extraction. You can specify multiple ip addresses. Defaults to 127.0.0.1.

Login Name Header

The name of the HTTP header containing the users login name. This header must be set by the authentication proxy. Defaults to X_REMOTE_USER.

Require Exisiting PAS User

If disabled, any login name provided in the header is authenticated (recommended). If enabled, only login names that can be looked up with PAS are authenticated.

pas.plugins.trustedproxyauth supports user name transformations that may be needed in combination with some reverse proxies. The following options are supported:

Lowercase Login

Transform the extracted login name to lowercase.

Lowercase Domain

Transform the domain name part of the extracted login name to lowercase. This is useful when using Kerberos authentication and the user id consists of userid@REALM.

Strip NT Domain

Remove the NT domain part from the extracted user name. All user names in the form DOMAIN\userid are transformed to userid.

Strip AD Domain

Remove the AD domain part from the extracted user name. All user names in the form userid@domain are transformed to userid.

User Name Mapping

Specify a custom user name mapping by providing the extracted user name and the mapped user name separated by colon per line.

Example:

user1:guest
user2:admin

Changelog

1.3.0 (2019-10-25)

  • Drop Plone 4.0 and 4.1 support. [jone]

  • Add Plone 5 support. [busykoala]

1.2 (2012-06-11)

  • Added option to emulate Plone logins which includes the creation of member areas and firing login events. The feature can be enabled by setting the Plone Login Timeout option. [buchi]

1.1 (2012-04-26)

  • Added option to verify the user name given in the request header. If enabled, only user names that can be looked up with PAS are authenticated. [buchi]

  • Added a config page for plugin configuration and removed the ZMI properties that were used for configuration previously. With this change the user name mapping no longer needs to be calculated with each request. [buchi]

  • Do user name mapping in the extraction part instead of the authenticate part. [buchi]

1.0.1 (2011-12-13)

  • Added option to lowercase AD domain part of login. [buchi]

  • Added username mapping feature for rewriting the username provided by the trusted proxy into a known plone username. [jbaumann]

  • Improved hostname to IP resolution [jbaumann]

  • Added tests [jbaumann]

  • Added option to strip NT and AD domains from login. [buchi]

1.0 (2011-02-25)

  • Initial release [buchi].

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pas.plugins.trustedproxyauth-1.3.0.tar.gz (19.7 kB view details)

Uploaded Source

File details

Details for the file pas.plugins.trustedproxyauth-1.3.0.tar.gz.

File metadata

  • Download URL: pas.plugins.trustedproxyauth-1.3.0.tar.gz
  • Upload date:
  • Size: 19.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.8.0 requests-toolbelt/0.8.0 tqdm/4.23.4 CPython/2.7.15

File hashes

Hashes for pas.plugins.trustedproxyauth-1.3.0.tar.gz
Algorithm Hash digest
SHA256 8b0da743632d5752d6af22705587869477fbb7b98a3d60ca77ab902e6c4268ee
MD5 0941432dd38d3b85eeb71ed6fde6e29b
BLAKE2b-256 3c5d483f33decbde7d255b18e9bffa349d06bbc97613177d2b69a42b556a6580

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page