All geek questions in one place

Plone & CGI with one input using mod_auth_tkt

Several questions were answered suggesting using mod_auth_tkt to enable Plone 4 ( Plone and Asp.Net integration , Use the Plone authentication mechanism to log in to other sites. ) To authenticate other web applications, and since I have a couple of CGIs that are already go through hoops for authentication through Plone, this seems perfect for my purpose. However, I cannot find much documentation about using mod_auth_tkt in general and absolutely nothing about using it with Plone.

I have the following problems.

  • mod_auth_tkt expects a common "secret". The mod_auth_tkt examples show that Apache gets this from the configuration file. Plone does not share its secrets - since Apache knows that this Plone cookie is valid auth_tkt?
  • which url will be used in the Apache TKTAuthLoginURL configuration? [Iā€™m not sure what is vital, because at the moment Iā€™m really interested in calling something inside plone, and not directly as cgi]
  • Apache expects the ticket cookie to be specified through TKTAuthCookieName (default is "auth_tkt"). What does Plone call it? __ac?
+4
source share
2 answers

The documentation for using mod_auth_tkt is a help page distributed with the source.

In response to your specific questions:

  • In / Plone / acl_users / session. On the "Manage Secrets" tab, set a shared secret. (This is described in the documentation for setting up a shared secret with the IIS login form.) You must set the same secret in your Apache configuration using the TKTAuthSecret directive.

  • For Plone 4.0 (or Plone 3.x with plone.session 3.x) use / Plone / login _form. For Plone 4.1, use / Plone / login, assuming the Plone site is hosted in / Plone. Use / login_form or / login if it is located in the root.

  • Plone uses _ac by default, so use TKTAuthCookieName "_ac". (The Plone cookie name is used in the acl_users session settings and cookie authentication settings.)

You may need to set TKTAuthBackArgName "came_from", although I think Plone will return to the referrer URL so that it can work without it. And you will need to check the "Use hash algorithm compatible with mod_auth_tkt" parameter in the acl_users / session settings tab.

+4
source

It turns out that there is a conflict with pas.plugins.sqlalchemy. I studied PPS, and although it seems that there should not be a crossover, the site I tested had PPS. When I switched to a site without PPS, setting "secret" and the mod_auth_tkt flag had the desired effect. Since I seem to have gotten into the service role for pas.plugins.sqlalchemy, I think this is my problem :-)

Domo Arigato, Mr. Rowbot!

+1
source

Source: https://habr.com/ru/post/1342570/

More articles:


All Articles