Aug 10, 2007 11:17 AM
External Authentication
-
Like (0)
Has anyone gotten external Kerberos authentication working with Zenoss? How are people doing it?
I've found:
http://www.zope.org/Members/mstrickl/KerberosUserFolder
but it just seems to kill Zenoss logins when added.
_______________________________________________
zenoss-dev mailing list
zenoss-dev@zenoss.org
http://lists.zenoss.org/mailman/listinfo/zenoss-dev
hi guys...
I'm trying to set up apache authentication, but I'm having problems... First of all I can't find apachepas for download
Next, I tried WebServerAuth written originally for Plone CMS... But I don't know how to configure this module in Zope. I've entered managed area of zope in my browser (localhost:8080/manage), and under zport section (I guess zport is application under ZenOSS) added WebServerAuth module and configured it as extraction module, but authentication is still not working...
Apachepas is a Plone component that you can download from http://plone.org/products/apachepas
Once you unpack apachepas to $ZENHOME/Products folder, you can follow the steps above to setup reverse-proxy based SSO. You should be able to complete the configuration. For e-g., you should be able to select “Apache PAS Plugin” as auth helper.
Thank you very much! First mistake I was doing was putting apachepas into $ZENHOME/lib/python/Zope2/utilities/skel/Products/apachepas instead of $ZENHOME/Products. That's why I was unable to see the plugin under the dropdown menu.
Now, I've added it successfully but I still got problems with entering ZenOSS. First of all, here is my apache vhost configuration:
<VirtualHost *:80>
ServerName myserver.mycompany.com
RewriteEngine On
<Location "/">
Order allow,deny
Allow from all
AuthType CAS
Require valid-user
# Put the login name (stored below) into the HTTP_X_REMOTE_USER
# request header. This has to be in the <Location> block for
# some Apache auth modules, such as PubCookie, which don't set
# REMOTE_USER until very late.
RequestHeader set X_REMOTE_USER %{remoteUser}e
</Location>
# Some Linux distributions (e.g., Debian Etch and Red Hat Enterprise
# Linux AS Release 4) have default settings which prevent the header
# rewrites below from working. Fix that:
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Do the typical VirtualHostMonster rewrite, adding an E= option
# that puts the Apache-provided login name into the remoteUser
# variable.
RewriteRule ^/(.*)$ http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
</VirtualHost>
Now, when I login through CAS in apache frontend, it redirects me to ZenOSS, but it can't display dashboard and instead I get this error on screen:
=== Server exception ===
The server reported the following error:
Unable to connect to the server.
The system has encountered an error. Please reload the page.
I can choose dismiss or retry. Retries return this error indefinitely. If I click on dismiss and try to click on dashboard - it returns me back to ZenOSS logon screen. So I guess user is parsed correctly from apache, because I see the username (without '@domain') in the upper right corner of ZenOSS screen. But the problem is I get the same screen no matter if I created user manually in ZenOSS or if the user authenticated in apache doesn't exist. Good thing is I cannot do anything with nonexistent zenoss users, bad thing is I cannot do anything with zenoss accounts I created in zenoss
In the event.log, I found this (in the approx time of login):
==> event.log <==
------
2010-08-13T18:06:18 ERROR Zope.SiteErrorLog 1281715578.190.545370311641 http://infra.srce.hr:8080/zport/dmd/messaging_router
Traceback (innermost last):
Module ZPublisher.Publish, line 116, in publish
Module ZPublisher.BaseRequest, line 541, in traverse
AttributeError: has_key
Any ideas?
Delete the existing user and make sure to create user accounts using AD logon id in lowercase. This is to make sure that you could SSO logon using mixed case for your logon id.
Hope this helps.
"Sorry; I had presumed you working with Active Directory! You make sure that you create Zenoss user accounts (by logging into Zenoss using admin account) EXACTLY same like your enterprise SSO account names in *lowercase* -- to make sure that Zenoss can work with accounts in case insensitive manner.
Please make sure to create local account with appropriate roles BEFORE you let the users access through SSO
We have seen that the SSO accounts get incorrectly created -- if it were not already provisioned locally in Zenoss
But how can I know if the account is incorrectly created? I've tried deleteing my account and creating it manually within Zenoss but it does not help. I tried with Zenoss 3.0.0, 3.0.1 and 2.5.1. No luck at all. Maybe I should try 2.4.x?
Can you please send me your working Apache configuration? Maybe that's where the problem lies...
We referred http://plone.org/documentation/kb/plone-with-apache link to setup our environment. Zenoss already contains virtualhostmonster; you should see entry for Virutal_Hosting in the manage page (http://zenoss_server:8080/manage).
Also, we used reverse-proxy setup with ProxyPass, ProxyPassReverse. I don't see your Apache VirtualHost configuration containing proxy settings.
Our configuration file has the following entries:
ProxyPass /zport/ http://localhost:8080/zport/
ProxyPassReverse /zport/ http://localhost:8080/zport/
Thank you that helped indeed! Now this is my working Apache configuration:
<VirtualHost *:80>
ServerName servername.domain
RewriteEngine On
<Location "/">
Order allow,deny
Allow from all
AuthType CAS
Require valid-user
</Location>
# Some Linux distributions (e.g., Debian Etch and Red Hat Enterprise
# Linux AS Release 4) have default settings which prevent the header
# rewrites below from working. Fix that:
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# use proxy
ProxyPass /zport/ http://localhost:8080/zport/
ProxyPassReverse /zport/ http://localhost:8080/zport/
# Put the login name (stored below) into the HTTP_X_REMOTE_USER
# request header. This has to be in the <Location> block for
# some Apache auth modules, such as PubCookie, which don't set
# REMOTE_USER until very late.
RequestHeader set X_REMOTE_USER %{remoteUser}e
# Do the typical VirtualHostMonster rewrite, adding an E= option
# that puts the Apache-provided login name into the remoteUser
# variable.
RewriteRule ^/(.*)$ http://localhost:8080/VirtualHostBase/http/%{SERVER_NAME}:80/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
</VirtualHost>
http://localhost:8080/zport/
Hope this configuration helps other guys searching for this too. Thank you once more! I would have not succeeded without your help! Appretiate it!
Next problem which is minor I suppose :) is - "sign out" button... Is there any howto on how to fix that button, because user stays logged in forever - as long as browser is up, no matter how many times I click sign out.
Good to know that it's working now!
Please refer to the "NOTE: Zenoss Logout option is hard-coded redirecting to /zport/dmd"section in the initial post to edit logoutUser.py file to fix the logout button.
Follow Us On Twitter »
|
Latest from the Zenoss Blog » | Community | Products | Services Resources | Customers Partners | About Us | ||
Copyright © 2005-2011 Zenoss, Inc.
|
||||||||