You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

162 lines
5.0 KiB

  1. .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
  2. :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
  3. :alt: License: AGPL-3
  4. =========================================
  5. Allow users to be automatically logged in
  6. =========================================
  7. This module initialize the session by looking for the field HTTP_REMOTE_USER in
  8. the HEADER of the HTTP request and trying to bind the given value to a user.
  9. To be active, the module must be installed in the expected databases and loaded
  10. at startup; Add the *--load* parameter to the startup command: ::
  11. --load=web,web_kanban,auth_from_http_remote_user, ...
  12. If the field is found in the header and no user matches the given one, the
  13. system issue a login error page. (*401* `Unauthorized`)
  14. Use case.
  15. =========
  16. The module allows integration with external security systems [#]_ that can pass
  17. along authentication of a user via Remote_User HTTP header field. In many
  18. cases, this is achieved via server like Apache HTTPD or nginx proxying Odoo.
  19. .. important:: When proxying your Odoo server with Apache or nginx, It's
  20. important to filter out the Remote_User HTTP header field before your
  21. request is processed by the proxy to avoid security issues. In apache you
  22. can do it by using the RequestHeader directive in your VirtualHost
  23. section ::
  24. <VirtualHost *:80>
  25. ServerName MY_VHOST.com
  26. ProxyRequests Off
  27. ...
  28. RequestHeader unset Remote-User early
  29. ProxyPass / http://127.0.0.1:8069/ retry=10
  30. ProxyPassReverse / http://127.0.0.1:8069/
  31. ProxyPreserveHost On
  32. </VirtualHost>
  33. How to test the module with Apache [#]_
  34. =======================================
  35. Apache can be used as a reverse proxy providing the authentication and adding
  36. the required field in the Http headers.
  37. Install apache: ::
  38. $ sudo apt-get install apache2
  39. Define a new vhost to Apache by putting a new file in
  40. /etc/apache2/sites-available: ::
  41. $ sudo vi /etc/apache2/sites-available/MY_VHOST.com
  42. with the following content: ::
  43. <VirtualHost *:80>
  44. ServerName MY_VHOST.com
  45. ProxyRequests Off
  46. <Location />
  47. AuthType Basic
  48. AuthName "Test Odoo auth_from_http_remote_user"
  49. AuthBasicProvider file
  50. AuthUserFile /etc/apache2/MY_VHOST.htpasswd
  51. Require valid-user
  52. RewriteEngine On
  53. RewriteCond %{LA-U:REMOTE_USER} (.+)
  54. RewriteRule . - [E=RU:%1]
  55. RequestHeader set Remote-User "%{RU}e" env=RU
  56. </Location>
  57. RequestHeader unset Remote-User early
  58. ProxyPass / http://127.0.0.1:8069/ retry=10
  59. ProxyPassReverse / http://127.0.0.1:8069/
  60. ProxyPreserveHost On
  61. </VirtualHost>
  62. .. important:: The *RequestHeader* directive is used to add the *Remote-User*
  63. field in the http headers. By default an *'Http-'* prefix is added to the
  64. field name.
  65. In Odoo, header's fields name are normalized. As result of this
  66. normalization, the 'Http-Remote-User' is available as 'HTTP_REMOTE_USER'.
  67. If you don't know how your specified field is seen by Odoo, run your
  68. server in debug mode once the module is activated and look for an entry
  69. like: ::
  70. DEBUG openerp1 openerp.addons.auth_from_http_remote_user.controllers.
  71. session:
  72. Field 'HTTP_MY_REMOTE_USER' not found in http headers
  73. {'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', ...,
  74. 'HTTP_REMOTE_USER': 'demo')
  75. Enable the required apache modules: ::
  76. $ sudo a2enmod headers
  77. $ sudo a2enmod proxy
  78. $ sudo a2enmod rewrite
  79. $ sudo a2enmod proxy_http
  80. Enable your new vhost: ::
  81. $ sudo a2ensite MY_VHOST.com
  82. Create the *htpassword* file used by the configured basic authentication: ::
  83. $ sudo htpasswd -cb /etc/apache2/MY_VHOST.htpasswd admin admin
  84. $ sudo htpasswd -b /etc/apache2/MY_VHOST.htpasswd demo demo
  85. For local test, add the *MY_VHOST.com* in your /etc/vhosts file.
  86. Finally reload the configuration: ::
  87. $ sudo service apache2 reload
  88. Open your browser and go to MY_VHOST.com. If everything is well configured, you
  89. are prompted for a login and password outside Odoo and are automatically
  90. logged in the system.
  91. .. [#] Shibolleth, Tivoli access manager, ..
  92. .. [#] Based on a ubuntu 12.04 env
  93. Bug Tracker
  94. ===========
  95. Bugs are tracked on `GitHub Issues
  96. <https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
  97. check there if your issue has already been reported. If you spotted it first,
  98. help us smashing it by providing a detailed and welcomed feedback.
  99. Credits
  100. =======
  101. Images
  102. ------
  103. * Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
  104. Contributors
  105. ------------
  106. * Laurent Mignon <laurent.mignon@acsone.eu>
  107. Maintainer
  108. ----------
  109. .. image:: https://odoo-community.org/logo.png
  110. :alt: Odoo Community Association
  111. :target: https://odoo-community.org
  112. This module is maintained by the OCA.
  113. OCA, or the Odoo Community Association, is a nonprofit organization whose
  114. mission is to support the collaborative development of Odoo features and
  115. promote its widespread use.
  116. To contribute to this module, please visit https://odoo-community.org.