Using pas.plugins.headers with Apache

Plone Support
, ,
1

Hello,

I'm trying to use pas.plugins.headers v1.5.0 and Plone 5.2.10. Apache is configured to authenticate using Shibboleth and proxies to Plone. Using tcpdump, I've captured requests Apache is making to Plone and can see that Apache is correctly passing along the authenticated username in the header I specified (P_REMOTE_USER), but Plone is behaving as though I wasn't logged in.

In pas.plugins.headers configuration, I've tried setting "Header to user as user id" to variations of

P_REMOTE_USER
p_remote_user
HTTP_P_REMOTE_USER
http_p_remote_user

...to no avail. I'm not sure what I'm missing or how to debug the plugin to troubleshoot further. Has anyone else run into some version of my issue?

For what it's worth, this is part of a project to upgrade a working installation of Plone 4.2 using WebServerAuth

Thank you!

2

Ian D via Plone Community wrote at 2024-3-18 21:59 +0000:

I'm trying to use pas.plugins.headers v1.5.0 and Plone 5.2.10. Apache is configured to authenticate using Shibboleth and proxies to Plone. Using tcpdump, I've captured requests Apache is making to Plone and can see that Apache is correctly passing along the authenticated username in the header I specified (P_REMOTE_USER), but Plone is behaving as though I wasn't logged in.

In pas.plugins.headers configuration, I've tried setting "Header to user as user id" to variations of

P_REMOTE_USER
p_remote_user
HTTP_P_REMOTE_USER
http_p_remote_user

...to no avail. I'm not sure what I'm missing or how to debug the plugin to troubleshoot further. Has anyone else run into some version of my issue?

I do not know pas.plugins.headers; I cannot tell which header
names it expects. You might find information in its documentation
or its source code.

Zope knows about some headers, the so called "CGI headers".
"REMOTE_USER" and "REMOTE_IDENT" belong to those headers.
Other headers might have been modified, e.g. "-" might have been
replaced by "" and "HTTP" might have been prepended.

A string representation of the request tells in the environ part
which headers the application sees.
I use a "DTML Method" show_request with content
<dtml-var "str(REQUEST)"> to analyse request details
(such as provided headers).

3

Hi!
in Apache you've to add this lines:

RequestHeader set MYUSERID %{shib_edupersonprincipalname}e "expr=env('shib_edupersonprincipalname') != ''"
RequestHeader set SHIBPERSONCNAME %{shib_cn}e
(repeat the line above above for every attribute you need to use in Plone)

or whatever you get the userid from

In the pas.plugins.headers properties:

Header to use as user id -> MYUSERID
Required headers -> MYUSERID
Create authentication ticket. Then headers need not be checked on all urls. -> checked

the plugin must be activated for all:

  • Authentication (authenticateCredentials)
  • Challenge (challenge)
  • Reset Credentials (resetCredentials)
  • Extraction (extractCredentials)
  • Properties (getPropertiesForUser)
  • Roles (getRolesForPrincipal)

For automatic group/roles based on shibboleth attributes, you can use Products.AutoRoleFromHostHeader · PyPI (apply this small patch for Plone 6: Update interfaces.py (Plone 6.0 compatbility) by yurj · Pull Request #7 · RedTurtle/Products.AutoRoleFromHostHeader · GitHub)

4

Thank you everyone for the replies.

I finally tried passing the username from apache to Plone as "uid", as in the pas.plugins.headers example and that does work!