Metadata-Version: 1.1
Name: Products.AutoUserMakerPASPlugin
Version: 1.0
Summary: Automatically create PAS users when authenitcation in Plone
Home-page: http://pypi.python.org/pypi/Products.AutoUserMakerPASPlugin/
Author: Tom Gross
Author-email: itconsense@gmail.com
License: GPL
Description: =============================
        AutoUserMakerPASPlugin Readme
        =============================
        
        
        .. image:: https://travis-ci.org/collective/Products.AutoUserMakerPASPlugin.png
               :target: https://travis-ci.org/collective/Products.AutoUserMakerPASPlugin
        
        Automatically generate members on login in Plone.
        
        Change history
        **************
        
        1.0 (2014-02-26)
        ================
        
        - Let PAS decide where to store user properties. Allows e.g. Membrane
          to store properties on the user object itself. [gweis]
        - Make update of users's properties optional. [gweis]
        
        
        0.9 (2014-02-04)
        ================
        
        - Move the password generation function to be an instance method.
          This allows for the potential to override this function and performance
          actions using information drawn from the plugin, request etc.
          [davidjb]
        - Update a user's properties when they authenticate. This
          handles the situation where a user's details may change (such as name,
          email address, etc) upon next authentication.
          [davidjb]
        - Allow other PAS plugins to handle credentials by calling
          ``updateCredentials`` when authenticating. This allows for existing
          session or cookie plugins (implementing ``ICredentialsUpdatePlugin``)
          to take over handling a user's authentication.
          [davidjb]
        - Ensure tests pass on Plone 4.1+.
          [davidjb]
        
        
        0.8b1 (2010-11-04)
        ==================
        
         - Factored out setting of local roles to ShibbolethPermissions
         - Trigger UserLoggedInEvent
         - Added challenge-plugin
        
        0.8a1 (2010-04-06)
        ==================
        
         - authzMappings needs to be a persistent list all the time
           [tom_gross]
        
         - copied from old-style product 0.7
           [tom_gross]
        
        Detailed Documentation
        **********************
        
        Overview
        ========
        
        Accept Apache based authentication in Zope and create Plone users.
        
        *AutoUserMakerPasPlugin* is a PAS plugin developed from apachepas, which allows
        Zope to delegate authentication concerns to Apache, and that automatically
        creates users as Apache lets them through. Using *AutoUserMakerPasPlugin*, you
        can configure your Plone site so any user known to your LDAP, Kerberos,
        Shibboleth, or Cosign (a.k.a. WebAccess) system--or indeed any other system
        which has an Apache authentication module--can transparently log in using his
        enterprise-wide credentials.
        
        If you want only a few select users to be able to log into your site, don't
        use Auto User Maker; stick to just apachepas, and create your few users
        manually. If, however, you want anyone with enterprise credentials to be
        able to authenticate, read on.
        
        
        Requirements
        ============
        
        * Zope and Plone. Tested with Zope 2.9.7 and Plone 2.5.3, and Zope 2.10.5 and
          Plone 3.0.6.
        
        * PluggableAuthService (included with Plone 2.5.x and maybe earlier).
        
        * I test this with Shibboleth, currently 2.0 service provider.
        
        Installation
        ============
        
        1. Unzip the AutoUserMakerPASPlugin.zip file in $INSTANCE_HOME/Products.
        
        2. Restart Zope.
        
        3. Install the plugin:
        
            If you're using Plone...
        
                1. Go to your-plone-site -> site setup -> Add/Remove Products,
                   and install AutoUserMakerPASPlugin.
        
            If you're not using Plone...
        
                1. In the Zope Management Interface, navigate to your-plone-site ->
                   acl_users.
        
                2. Add an Auto User Maker to the folder.
        
                3. Navigate to your-plone-site -> acl_users -> plugins ->
                   Authentication Plugins.
        
                2. Go to the Activate tab of your newly created Auth User Make instance,
                   and turn on Authentication and Extraction.
        
        4. Set up the required Apache directives. For example:
        
        ::
        
                # Some Linux distributions (e.g., Debian Etch and Red Hat Enterprise
                # Linux AS Release 4) have default settings which prevent the header
                # rewrites below from working. Fix that:
                <Proxy *>
                    Order deny,allow
                    Allow from all
                </Proxy>
        
                RewriteEngine On
        
                # Grab the remote user as environment variable.
                # (This RewriteRule doesn't actually rewrite anything URL-wise.)
                RewriteCond %{LA-U:REMOTE_USER} (.+)
                RewriteRule .* - [E=RU:%1]
        
                # Put the username into a request header:
                RequestHeader set X_REMOTE_USER %{RU}e
        
                # For Shibboleth SP 2.0, you must also set HTTP headers, if you want
                # account data populated.
        		#RequestHeader set SHIB_PERSON_COMMONNAME %{displayName}e
                #RequestHeader set SHIB_INETORGPERSON_MAIL %{mail}e
                #RequestHeader set SHIB_ORGPERSON_LOCALITY %{l}e
                #RequestHeader set SHIB_ORGPERSON_STATE %{st}e
                #RequestHeader set SHIB_ORGPERSON_C %{c}e
        
        		# Don't send shib stuff to plone
        		RewriteCond %{REQUEST_URI} !^/(shibboleth-(sp|idp)|Shibboleth.sso|SAML)
                # Do the typical VirtualHostMonster rewrite:
                RewriteRule ^/port_8080(.*) http://localhost:8080/VirtualHostBase/http//localhost:80/VirtualHostRoot/_vh_port_8080/$1 [L,P]
        
        I (Alan Brenner) used the following on a virtual interface on my Apache 2.2 and
        Shibboleth 1.3 development system:
        
        ::
        
                Listen 192.168.191.1:80
                <VirtualHost 192.168.191.1:80>
                    ServerName alan.ithaka.org
                    DocumentRoot /usr/local/apache-httpd-2.2.4/htdocs
                    ProxyRequests Off
                    ProxyPass /server-status !
                    ProxyPass /server-info !
                    ProxyPass /index.php !
                    ProxyPass /Shibboleth.sso !
                    ProxyPass /shibboleth-sp !
                    ProxyPass /shibboleth-idp !
                    ProxyPass /php !
                    ProxyPass / http://127.0.0.1:8253/VirtualHostBase/http/alan.ithaka.org:80/test/VirtualHostRoot/
        
                    LoadModule mod_shib /usr/local/shibboleth-sp-1.3/libexec/mod_shib_22.so
                    ShibSchemaDir /usr/local/shibboleth-sp-1.3/share/xml/shibboleth
                    ShibConfig /usr/local/shibboleth-sp-1.3/etc/shibboleth/shibboleth.xml
                    ShibURLScheme http
                    <Location /php>
                        AuthType shibboleth
                        ShibRedirectToSSL 443
                        # An index.php like:
                        #<html><head><title>shib test</title></head><body><?php phpinfo(); ?></body></html>
                        # is helpful to validate security, and see what values shib is setting.
                    </Location>
                </VirtualHost>
        
                <Location /shibboleth-idp/SSO>
                    AuthType Basic
                    AuthName Test
                    AuthUserFile /usr/local/apache-httpd-2.2.4/conf/users
                    require valid-user
                </Location>
        
                <IfModule !mod_jk.c>
                    LoadModule jk_module modules/mod_jk.so
                    JkShmFile /usr/local/apache-httpd-2.2.4/logs/jk-runtime-status
                    JkWorkersFile /usr/local/apache-tomcat-5.5.23/conf/jk/workers.properties
                    JkLogFile /var/log/httpd/mod_jk.log
                </IfModule>
                JkLogLevel emerg
                JkMount /shibboleth-idp/* ajp13
                JkMount /jsp-examples ajp13
                JkMount /jsp-examples/* ajp13
                JkMount /tomcat-docs ajp13
                JkMount /tomcat-docs/* ajp13
                JkMount /admin ajp13
                JkMount /admin/* ajp13
        
                Listen 443
                <VirtualHost 192.168.191.1:443>
                    DocumentRoot "/usr/local/apache-httpd-2.2.4/htdocs"
                    ServerName alan.ithaka.org
                    ServerAdmin alan.brenner@ithaka.org
                    ErrorLog /usr/local/apache-httpd-2.2.4/logs/error_log.443
                    TransferLog /usr/local/apache-httpd-2.2.4/logs/access_log.443
                    SSLEngine on
                    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
                    SSLCertificateFile /usr/local/shibboleth-sp-1.3/etc/shibboleth/idp.crt
                    SSLCertificateKeyFile /usr/local/shibboleth-sp-1.3/etc/shibboleth/idp.key
                    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                    </FilesMatch>
                    <Proxy *>
                        Order deny,allow
                        Allow from all
                    </Proxy>
                    RewriteEngine On
                    RewriteCond %{LA-U:REMOTE_USER} (.+)
                    RewriteRule .* - [E=RW_RU:%1]
                    RequestHeader set X_REMOTE_USER %{RW_RU}e
                    RewriteCond %{REQUEST_URI} !^/(shibboleth-(sp|idp)|Shibboleth.sso|SAML|WAYF|server-(status|info)|index.php|php)
                    RewriteRule ^/(.*) http://127.0.0.1:8253/VirtualHostBase/https/alan.ithaka.org:443/test/VirtualHostRoot/$1 [L,P]
                    <Location />
                        AuthType shibboleth
                        ShibRequireSession Off
                        require shibboleth
                    </Location>
                </VirtualHost>
        
                Listen 8443
                <VirtualHost 192.168.191.1:8443>
                    ErrorLog /usr/local/apache-httpd-2.2.4/logs/error_log.8443
                    TransferLog /usr/local/apache-httpd-2.2.4/logs/access_log.8443
                    SSLEngine on
                    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
                    SSLVerifyClient optional_no_ca
                    SSLVerifyDepth 10
                    SSLOptions +StdEnvVars +ExportCertData
                    SSLCertificateFile /usr/local/shibboleth-sp-1.3/etc/shibboleth/idp.crt
                    SSLCertificateKeyFile /usr/local/shibboleth-sp-1.3/etc/shibboleth/idp.key
                    ProxyRequests Off
                </VirtualHost>
        
        I use this for Apache 2.2 and Shibboleth 2.0 (and please see the page at
        https://spaces.internet2.edu/display/SHIB2/IdPSPLocalTestInstall for a more
        complete set of instructions on the Shibboleth side):
        
        ::
        
                Include /etc/shibboleth/apache22.config
        
                <VirtualHost *:80>
                    ServerName alan.ithaka.org
                    ServerAdmin alan.brenner@ithaka.org
                    DocumentRoot /Library/WebServer/Documents
                    ProxyRequests Off
                    ProxyPass /server-status !
                    ProxyPass /server-info !
                    ProxyPass /index.php !
                    ProxyPass / http://127.0.0.1:8253/VirtualHostBase/http/alan.ithaka.org:80/test/VirtualHostRoot/
                </VirtualHost>
        
                Listen 443
                <VirtualHost 172.16.209.1:443>
                    DocumentRoot "/Library/WebServer/Documents"
                    ServerName alan.ithaka.org:443
                    ServerAdmin alan.brenner@ithaka.org
                    ErrorLog "/var/log/apache2/error_log"
                    TransferLog "/var/log/apache2/access_log"
                    SSLEngine on
                    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
                    SSLCertificateFile "/etc/apache2/server.crt"
                    SSLCertificateKeyFile "/etc/apache2/server.key"
                    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                    </FilesMatch>
                    <Directory "/Library/WebServer/CGI-Executables">
                        SSLOptions +StdEnvVars
                    </Directory>
                    BrowserMatch ".*MSIE.*" \
                             nokeepalive ssl-unclean-shutdown \
                             downgrade-1.0 force-response-1.0
                    CustomLog "/var/log/apache2/ssl_request_log" \
                              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
                    <Proxy *>
                        Order deny,allow
                        Allow from all
                    </Proxy>
                    RewriteEngine On
                    RewriteCond %{LA-U:REMOTE_USER} (.+)
                    RewriteRule .* - [E=RW_RU:%1]
                    RequestHeader set X_REMOTE_USER %{RW_RU}e
                    RequestHeader set SHIB_PERSON_COMMONNAME %{displayName}e
                    RequestHeader set SHIB_INETORGPERSON_MAIL %{mail}e
                    RequestHeader set SHIB_ORGPERSON_LOCALITY %{l}e
                    RequestHeader set SHIB_ORGPERSON_STATE %{st}e
                    RequestHeader set SHIB_ORGPERSON_C %{c}e
                    RewriteCond %{REQUEST_URI} !^/(shibboleth-sp|server-(status|info)|index.php|secure)
                    RewriteRule ^/(.*) http://127.0.0.1:8253/VirtualHostBase/https/alan.ithaka.org:443/test/VirtualHostRoot/$1 [L,P]
                    <Location />
                        AuthType shibboleth
                        ShibRequireSession On
                        require shibboleth
                    </Location>
                </VirtualHost>
                
                <VirtualHost 172.16.60.1:443>
                    DocumentRoot "/Library/WebServer/Documents"
                    ServerName alanidp.ithaka.org:443
                    ServerAdmin alan.brenner@ithaka.org
                    ErrorLog "/var/log/apache2/error_idp_log"
                    TransferLog "/var/log/apache2/access_idp_log"
                    SSLEngine on
                    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
                    SSLCertificateFile "/etc/apache2/server_idp.crt"
                    SSLCertificateKeyFile "/etc/apache2/server_idp.key"
                    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                    </FilesMatch>
                    <Directory "/Library/WebServer/CGI-Executables">
                        SSLOptions +StdEnvVars
                    </Directory>
                    BrowserMatch ".*MSIE.*" \
                             nokeepalive ssl-unclean-shutdown \
                             downgrade-1.0 force-response-1.0
                    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                    </FilesMatch>
                    <Proxy *>
                        Order deny,allow
                        Allow from all
                    </Proxy>
                    ProxyPass /idp/ ajp://127.0.0.1:8009/idp/
                    <Location /idp/Authn/RemoteUser>
                        AuthType Basic
                        AuthName "IdPTest"
                        AuthUserfile /etc/apache2/pass
                        require valid-user
                    </Location>
                </VirtualHost>
        
        Notice for Shibboleth 2, I've had to use a different host for the Identity
        Provider.
        
        Shibboleth Changes
        ------------------
        
        For Shibboleth 1.3, change the MemorySessionCache in the Service Provider's
        shibboleth.xml file to increase values to avoid sessions expiring in 30 minutes:
        
         ::
        
          <MemorySessionCache cleanupInterval="28800" cacheTimeout="60"
             AATimeout="30" AAConnectTimeout="15" defaultLifetime="28800"
             retryInterval="300" strictValidity="false" propagateErrors="false"/>
        
        Here, you increase the cleanupInterval and defaultLifetime values in seconds.
        
        For Shibboleth 2.0, change the LoginHandler entry in the Identity Provider's
        handler.xml to increase values to avoid sessions expiring in 30 minutes:
        
         ::
        
          <LoginHandler xsi:type="RemoteUser" authenticationDuration="480">
        
        Here, you add the authenticationDuration value in minutes.
        
        Configuration
        =============
        
        Usernames with domain names
        ---------------------------
        
        If your Apache setup includes a domain in the username, AutoUserMakerPASPlugin
        will, by default, strip it off. For example, if Apache sets X_REMOTE_USER to
        "fred@example.com", AutoUserMakerPASPlugin will shorten it to "fred". If you
        don't want AutoUserMakerPASPlugin to do this (for example, if you are using a
        cross-domain authorization system like Shibboleth where this could cause name
        collisions)...
        
        1. In the ZMI, click your *AutoUserMakerPASPlugin* instance in acl_users.
        
        2. Click the "Do not strip domain names from usernames".
        
        3. Click Save.
        
        This can also be set up to strip names from specific DNS domains, by selecting
        the 'Strip domain names from all usernames in the domain(s) below' button, and
        entering domains in the input box below that button, then click Save.
        
        Header Mapping
        --------------
        
        If you are using Shibboleth (http://shibboleth.internet2.edu/), additional data
        can be sent from Apache to Zope. Configure the values that the Shibboleth
        service provider is making available in the field for each input type, then
        click Save. This will allow AutoUserMakerPASPlugin to populate the basic Plone
        user attributes (full name, email, etc). Multiple environment variables can be
        searched for each attribute by listing them on individual lines. The first value
        found will be used.
        
        Assigning Plone Roles, Groups or an Existing User
        -------------------------------------------------
        
        AutoUserMakerPASPlugin can map incoming attributes, to Plone roles, groups and
        already existing users.
        
        1. Add environment variables to check in the entry box near the bottom of the
           Options tab, and click save.
        
        2. Click the AuthZ tab, and in the Add Role Mapping section, enter regular
           expressions that should select incoming users. You don't need to fill in all
           of the Source fields, but at least one should be. Blank fields match, so
           if no pattern is given, then all new users will be assigned as specified in
           the roles, user and group(s) columns.
        
        3. Either select roles, an existing user, or one or more groups to assign to
           users that match the given pattern(s).
        
        4. Click Save.
        
        Once a mapping exists, there will be an area to edit the existing mapping,
        including deleting it.
        
        Allowing Users to Share Content
        -------------------------------
        
        If *ShibbolethPermissions* is installed, adding items in the last 2 input fields
        in the configuration tab sets up the values users can use to share content with.
        Enter environment variable names of the same sort used for assigning roles or
        setting user properties in the left input box. Enter labels in the right box
        that users will see for the variable on the same line in the left box, and click
        save.
        
        Admitting only certain users
        ----------------------------
        
        If you want to admit only a subset of the users that Apache recognizes...
        
        1. In the ZMI, click your *ApacheAuthPluginHandler* instance.
        
        2. Click the Properties tab.
        
        3. Put "Member" in the required_roles field.
        
        4. Click Save Changes.
        
        5. Use the *Users and Groups Administration* page in Plone to create
           the users you want to admit.
        
        Users you have not added will still be able to satisfy Apache's login
        prompt but will not be recognized by Plone.
        
        
        Design Rationale (technical and only for the curious)
        =====================================================
        
        User Creation
        -------------
        
        We chose to actually create and store users in the PAS rather than just
        pretending they exist. If we had only pretended, then the users wouldn't
        show up when you go to 'your-plone-site/prefs_users_overview' and click
        "Show all". (Writing a 'IUserEnumerationPlugin' is impossible in our
        case, as the enterprise user store is none of Zope's concern; Apache is
        the only thing that talks to the user store.)
        
        Role Assignment
        ---------------
        
        There were two ways we could have gone about giving users the Member
        role (which is what Plone requires in order to treat them as first-class
        citizens): (1) an 'IRolesPlugin' which would simply pretend everyone has
        the Member role or (2) actually assigning each user the Member role and
        storing the assignment in the ZODB (or, more correctly, wherever an
        active 'IRoleAssignerPlugin' chooses to store it). We chose (2) so you
        can uninstall Auto Member Maker later and have your users keep working.
        If we had done (1), you would need to manually assign the Member role to
        each of your users if you ever stopped using Auto Member Maker.
        
        
        Testing
        =======
        
        To run the *AutoUserMakerPASPlugin* tests, use the standard Zope testrunner:
        
            $INSTANCE_HOME/bin/zopectl test -s Products.AutoUserMakerPASPlugin
        
        
        Credits
        =======
        
        apachepas
        ---------
        Originally developed by Rocky Burt (rocky AT serverzen.com) on behalf of
        "Zest Software":http://zestsoftware.nl.
        
        Version 1.1 by Erik Rose of "WebLion", http://weblion.psu.edu/.
        
        AutoMemberMakerPASPlugin
        ------------------------
        
        This product was developed by Erik Rose, of the WebLion group at Penn State
        University.
        
        AutoUserMakerPASPlugin
        ----------------------
        
        Alan Brenner, of Ithaka Harbors, Inc., under the direction of the Research in
        Information Technology program of the Andrew W. Mellon Foundaton, combined
        apachepas and AutoMemberMaker, and added user, group and role mappings, and
        support for user level sharing. I've added tests as well. I'd like to thank Paul
        Yuergens of psych.ucla.edu, Li Cheng of pku.edu.cn and Yuri <yurj> of alfa.it
        for testing, and Alex Man of seas.ucla.edu for tracking down the Shibboleth 1.3
        session expiration cause.
        
        
        Contributors
        ************
        
        - Tom Gross, Author
        - David Beitey, Contributor
        
        
Keywords: plone authentication shibboleth pas security
Platform: UNKNOWN
Classifier: Framework :: Zope2
Classifier: Framework :: Plone
Classifier: Framework :: Plone :: 4.0
Classifier: Programming Language :: Python
