Getting off the ground with Zotonic authentication

[Luke Burton]

Hi there,

So I'm quite interested in using Zotonic as a CMS at my company. We have a bunch of internal Rails sites and, well, I probably don't need to tell you what those look like on the inside :)

The thing that is attracting me is that it's a nicely maturing CMS, but also very extensible. Right now when a new "project" gets spun up we inevitably fire up another Rails instance because the last spaghetti mess of Rails stuff or PHP stuff couldn't be used as a starting platform. I envisage using Zotonic as a stable platform on which core CMS stuff can live, with new modules serving our custom project specific needs. Like adding another potted plant to a carefully curated garden rather than just setting fire to a jungle and starting from scratch over and over :)

Anyway that is preamble to my first Zotonic hurdle. At our company we have an authentication server driven off a central LDAP directory. If you are spinning up a new Rails app, you might go into LDAP and create a new group my...@group.foobar.com. You add members to that group. You then configure your Rails app to say "I only accept requests that have a cookie from the authentication server". When someone hits your site without a cookie, you redirect them to the authentication server, where they punch their credentials in. They then get bounced back to the original page. Your rails app then uses that cookie to ask the authentication server whether "Jane Doe" is a member of "my...@group.foobar.com".

So I need to:

1. have all page requests served by Zotonic require the presence of a valid HTTP cookie (which has an expiration date)

2. have invalid or missing cookies trigger a redirect to another site.

3. be able to have a per-page routine that compares the page's ACL to what LDAP groups the user is member of (via HTTP request against the authentication server from the zotonic process itself)

I'm struggling a bit to figure out whether this is achievable using modules, or whether I'll need to interpose routines in src/support/z_*.erl. It's not clear to me whether a module can override something as fundamental as all page loads. It *seems* like what I want to do is implement "acl_is_allowed" in a module, make its priority high, and always deny the request if there isn't an appropriate cookie (which I will somehow get from some session object?) Then somehow orchestrate a redirect.

Ultimately I want to shanghai the entire idea of "users" in Zotonic and replace them with "users" of our LDAP server, but I'll settle for just getting the basic auth stuff running first.

I'll continue to investigate, but would appreciate some pointers if people have time to share. Kudos on the product to everyone who has been contributing to it. This feels very different to Rails in a good way :)

Regards,

Luke.

[Andreas Stenius]

Hi Luke,

I've not spent more time on this than reading your message, but since
you've not got a single answer yet, I'll just toss in my initial idea.

To get some all-encompassing functionality easily, it would perhaps
work to add some code to the base.tpl file (which should be used for
all pages).
For instance, if you have mod_ldap_auth provide a check_cookie scomp
you may add a {% check_cookie %} to base.tpl, possible with some
suitable arguments too...

Beware howvever that this will not check services; or resources not
using base.tpl...

This is not the best-practices approach, for sure, but perhaps a
viable first step (I'd have to do some research for that).

//Andreas

2011/7/14 Luke Burton <luke....@gmail.com>: