Author: Tom Gross


AutoUserMakerPASPlugin Readme

.. image::

Automatically generate members on login in Plone.

Change history

1.0 (2014-02-26)

- Let PAS decide where to store user properties. Allows e.g. Membrane
  to store properties on the user object itself. [gweis]
- Make update of users's properties optional. [gweis]

0.9 (2014-02-04)

- Move the password generation function to be an instance method.
  This allows for the potential to override this function and performance
  actions using information drawn from the plugin, request etc.
- Update a user's properties when they authenticate. This
  handles the situation where a user's details may change (such as name,
  email address, etc) upon next authentication.
- Allow other PAS plugins to handle credentials by calling
  ``updateCredentials`` when authenticating. This allows for existing
  session or cookie plugins (implementing ``ICredentialsUpdatePlugin``)
  to take over handling a user's authentication.
- Ensure tests pass on Plone 4.1+.

0.8b1 (2010-11-04)

 - Factored out setting of local roles to ShibbolethPermissions
 - Trigger UserLoggedInEvent
 - Added challenge-plugin

0.8a1 (2010-04-06)

 - authzMappings needs to be a persistent list all the time

 - copied from old-style product 0.7

Detailed Documentation


Accept Apache based authentication in Zope and create Plone users.

*AutoUserMakerPasPlugin* is a PAS plugin developed from apachepas, which allows
Zope to delegate authentication concerns to Apache, and that automatically
creates users as Apache lets them through. Using *AutoUserMakerPasPlugin*, you
can configure your Plone site so any user known to your LDAP, Kerberos,
Shibboleth, or Cosign (a.k.a. WebAccess) system--or indeed any other system
which has an Apache authentication module--can transparently log in using his
enterprise-wide credentials.

If you want only a few select users to be able to log into your site, don't
use Auto User Maker; stick to just apachepas, and create your few users
manually. If, however, you want anyone with enterprise credentials to be
able to authenticate, read on.


* Zope and Plone. Tested with Zope 2.9.7 and Plone 2.5.3, and Zope 2.10.5 and
  Plone 3.0.6.

* PluggableAuthService (included with Plone 2.5.x and maybe earlier).

* I test this with Shibboleth, currently 2.0 service provider.


1. Unzip the file in $INSTANCE_HOME/Products.

2. Restart Zope.

3. Install the plugin:

    If you're using Plone...

        1. Go to your-plone-site -> site setup -> Add/Remove Products,
           and install AutoUserMakerPASPlugin.

    If you're not using Plone...

        1. In the Zope Management Interface, navigate to your-plone-site ->

        2. Add an Auto User Maker to the folder.

        3. Navigate to your-plone-site -> acl_users -> plugins ->
           Authentication Plugins.

        2. Go to the Activate tab of your newly created Auth User Make instance,
           and turn on Authentication and Extraction.

4. Set up the required Apache directives. For example:


        # Some Linux distributions (e.g., Debian Etch and Red Hat Enterprise
        # Linux AS Release 4) have default settings which prevent the header
        # rewrites below from working. Fix that:
        <Proxy *>
            Order deny,allow
            Allow from all

        RewriteEngine On

        # Grab the remote user as environment variable.
        # (This RewriteRule doesn't actually rewrite anything URL-wise.)
        RewriteCond %{LA-U:REMOTE_USER} (.+)
        RewriteRule .* - [E=RU:%1]

        # Put the userna