I'm trying to use pas.plugins.headers v1.5.0 and Plone 5.2.10. Apache is configured to authenticate using Shibboleth and proxies to Plone. Using tcpdump, I've captured requests Apache is making to Plone and can see that Apache is correctly passing along the authenticated username in the header I specified (P_REMOTE_USER), but Plone is behaving as though I wasn't logged in.
In pas.plugins.headers configuration, I've tried setting "Header to user as user id" to variations of
Ian D via Plone Community wrote at 2024-3-18 21:59 +0000:
I'm trying to use pas.plugins.headers v1.5.0 and Plone 5.2.10. Apache is configured to authenticate using Shibboleth and proxies to Plone. Using tcpdump, I've captured requests Apache is making to Plone and can see that Apache is correctly passing along the authenticated username in the header I specified (P_REMOTE_USER), but Plone is behaving as though I wasn't logged in.
In pas.plugins.headers configuration, I've tried setting "Header to user as user id" to variations of
...to no avail. I'm not sure what I'm missing or how to debug the plugin to troubleshoot further. Has anyone else run into some version of my issue?
I do not know pas.plugins.headers; I cannot tell which header
names it expects. You might find information in its documentation
or its source code.
Zope knows about some headers, the so called "CGI headers".
"REMOTE_USER" and "REMOTE_IDENT" belong to those headers.
Other headers might have been modified, e.g. "-" might have been
replaced by "" and "HTTP" might have been prepended.
A string representation of the request tells in the environ part
which headers the application sees.
I use a "DTML Method" show_request with content <dtml-var "str(REQUEST)"> to analyse request details
(such as provided headers).
RequestHeader set MYUSERID %{shib_edupersonprincipalname}e "expr=env('shib_edupersonprincipalname') != ''"
RequestHeader set SHIBPERSONCNAME %{shib_cn}e
(repeat the line above above for every attribute you need to use in Plone)
or whatever you get the userid from
In the pas.plugins.headers properties:
Header to use as user id -> MYUSERID
Required headers -> MYUSERID
Create authentication ticket. Then headers need not be checked on all urls. -> checked