Pedro M. Baeza
10 years ago
2 changed files with 125 additions and 124 deletions
@ -0,0 +1,125 @@ |
|||||
|
Allow users to be automatically logged in |
||||
|
========================================= |
||||
|
|
||||
|
This module initialize the session by looking for the field HTTP_REMOTE_USER in |
||||
|
the HEADER of the HTTP request and trying to bind the given value to a user. |
||||
|
To be active, the module must be installed in the expected databases and loaded |
||||
|
at startup; Add the *--load* parameter to the startup command: :: |
||||
|
|
||||
|
--load=web,web_kanban,auth_from_http_remote_user, ... |
||||
|
|
||||
|
If the field is found in the header and no user matches the given one, the |
||||
|
system issue a login error page. (*401* `Unauthorized`) |
||||
|
|
||||
|
Use case. |
||||
|
--------- |
||||
|
|
||||
|
The module allows integration with external security systems [#]_ that can pass |
||||
|
along authentication of a user via Remote_User HTTP header field. In many |
||||
|
cases, this is achieved via server like Apache HTTPD or nginx proxying Odoo. |
||||
|
|
||||
|
.. important:: When proxying your Odoo server with Apache or nginx, It's |
||||
|
important to filter out the Remote_User HTTP header field before your |
||||
|
request is processed by the proxy to avoid security issues. In apache you |
||||
|
can do it by using the RequestHeader directive in your VirtualHost |
||||
|
section :: |
||||
|
|
||||
|
<VirtualHost *:80> |
||||
|
ServerName MY_VHOST.com |
||||
|
ProxyRequests Off |
||||
|
... |
||||
|
|
||||
|
RequestHeader unset Remote-User early |
||||
|
ProxyPass / http://127.0.0.1:8069/ retry=10 |
||||
|
ProxyPassReverse / http://127.0.0.1:8069/ |
||||
|
ProxyPreserveHost On |
||||
|
</VirtualHost> |
||||
|
|
||||
|
|
||||
|
How to test the module with Apache [#]_ |
||||
|
---------------------------------------- |
||||
|
|
||||
|
Apache can be used as a reverse proxy providing the authentication and adding |
||||
|
the required field in the Http headers. |
||||
|
|
||||
|
Install apache: :: |
||||
|
|
||||
|
$ sudo apt-get install apache2 |
||||
|
|
||||
|
|
||||
|
Define a new vhost to Apache by putting a new file in |
||||
|
/etc/apache2/sites-available: :: |
||||
|
|
||||
|
$ sudo vi /etc/apache2/sites-available/MY_VHOST.com |
||||
|
|
||||
|
with the following content: :: |
||||
|
|
||||
|
<VirtualHost *:80> |
||||
|
ServerName MY_VHOST.com |
||||
|
ProxyRequests Off |
||||
|
<Location /> |
||||
|
AuthType Basic |
||||
|
AuthName "Test Odoo auth_from_http_remote_user" |
||||
|
AuthBasicProvider file |
||||
|
AuthUserFile /etc/apache2/MY_VHOST.htpasswd |
||||
|
Require valid-user |
||||
|
|
||||
|
RewriteEngine On |
||||
|
RewriteCond %{LA-U:REMOTE_USER} (.+) |
||||
|
RewriteRule . - [E=RU:%1] |
||||
|
RequestHeader set Remote-User "%{RU}e" env=RU |
||||
|
</Location> |
||||
|
|
||||
|
RequestHeader unset Remote-User early |
||||
|
ProxyPass / http://127.0.0.1:8069/ retry=10 |
||||
|
ProxyPassReverse / http://127.0.0.1:8069/ |
||||
|
ProxyPreserveHost On |
||||
|
</VirtualHost> |
||||
|
|
||||
|
.. important:: The *RequestHeader* directive is used to add the *Remote-User* |
||||
|
field in the http headers. By default an *'Http-'* prefix is added to the |
||||
|
field name. |
||||
|
In Odoo, header's fields name are normalized. As result of this |
||||
|
normalization, the 'Http-Remote-User' is available as 'HTTP_REMOTE_USER'. |
||||
|
If you don't know how your specified field is seen by Odoo, run your |
||||
|
server in debug mode once the module is activated and look for an entry |
||||
|
like: :: |
||||
|
|
||||
|
DEBUG openerp1 openerp.addons.auth_from_http_remote_user.controllers. |
||||
|
session: |
||||
|
Field 'HTTP_MY_REMOTE_USER' not found in http headers |
||||
|
{'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', ..., |
||||
|
'HTTP_REMOTE_USER': 'demo') |
||||
|
|
||||
|
Enable the required apache modules: :: |
||||
|
|
||||
|
$ sudo a2enmod headers |
||||
|
$ sudo a2enmod proxy |
||||
|
$ sudo a2enmod rewrite |
||||
|
$ sudo a2enmod proxy_http |
||||
|
|
||||
|
Enable your new vhost: :: |
||||
|
|
||||
|
$ sudo a2ensite MY_VHOST.com |
||||
|
|
||||
|
Create the *htpassword* file used by the configured basic authentication: :: |
||||
|
|
||||
|
$ sudo htpasswd -cb /etc/apache2/MY_VHOST.htpasswd admin admin |
||||
|
$ sudo htpasswd -b /etc/apache2/MY_VHOST.htpasswd demo demo |
||||
|
|
||||
|
For local test, add the *MY_VHOST.com* in your /etc/vhosts file. |
||||
|
|
||||
|
Finally reload the configuration: :: |
||||
|
|
||||
|
$ sudo service apache2 reload |
||||
|
|
||||
|
Open your browser and go to MY_VHOST.com. If everything is well configured, you |
||||
|
are prompted for a login and password outside Odoo and are automatically |
||||
|
logged in the system. |
||||
|
|
||||
|
.. [#] Shibolleth, Tivoli access manager, .. |
||||
|
.. [#] Based on a ubuntu 12.04 env |
||||
|
|
||||
|
Contributors |
||||
|
------------ |
||||
|
* Laurent Mignon |
Write
Preview
Loading…
Cancel
Save
Reference in new issue