Hello. I am trying to map an IP address to a specific user object using the Domain Auth Helper. https://docs.plone.org/4/en/old-reference-manuals/pluggable_authentication_service/plugins/plugin-types/authentication-plugins.html#domain-auth-helper
It looks like perhaps the Domain Auth Helper ‘User Map’ tab does not allow mapping IP to user object but rather maps roles to that user based on their IP at the time.
Does anyone know if there is a tool to map IP auth to an actual user object instead of just roles?
Thanks for your help!
I wasn't even aware Plone had this... and I can't find a repo URL or any code references to it. Where do you see the Domain Auth Helper and do you have any URLs for it? I guess you're trying to make it so that anyone coming from a specific IP address is automatically logged in? (seems unsafe to me)
Hello. The DomainAuthHelper is actually a part of the PluggableAuthService product @ https://github.com/zopefoundation/Products.PluggableAuthService/blob/master/Products/PluggableAuthService/plugins/DomainAuthHelper.py.
I have used it for some time now to allow IP authentication for static IPs that are managed by myself in the form of a whitelist. To accomplish that I use a Generic Map. There is also a User Map which I had thought was to actually authorize as the mapped user when coming from the IP, but after reading its implementation think that it is more of a tool to map different roles to users when they are coming form different networks associated by IP address.
I also emailed a contributor (Mr. van Rees) about the intended use, so he may verify that it is not meant to actually authorize as users but instead meant to manage roles when logged in as a user on different networks.
I was going to modify the product for my portal to use
newSecurityManager( request, <mapped-user>, but I am not sure if that will have negative implications elsewhere.
I am thinking that I will end up using
self.context.acl_users.session._setupSession(username, self.context.REQUEST.RESPONSE) as described here: https://docs.plone.org/develop/plone/sessions/login.html#using-username-only.
I do agree about the security question, but it is a direct requirement to have whole networks mapped to users. It allows an organization to get a catered experience for anyone who is on-premises to one of their campuses.
For anyone following this, I have decided to modify the DomainAuthHelper's authenticateCredentials method to match the user in the
_domain_map. So far it is working. I will keep everyone posted as I finalize it. Right now thinking to monkey patch if possible but not entirely sure if it is with decorators.
This is cool stuff... needs more docs.