Products.WebServerAuth (1.6)

WebServerAuth allows Plone to delegate authentication concerns to a web server like Apache or IIS. Using WebServerAuth, Plone can be configured so any user known to your LDAP, Kerberos, Shibboleth, or Pubcookie system—or any other system for which your web server has an authentication module— can transparently log in using enterprise-wide credentials.

WebServerAuth obsoletes and improves upon apachepas and AutoMemberMakerPasPlugin, which come significantly and entirely, respectively, from the same author.

Improvements over apachepas and AutoMemberMakerPasPlugin:

• When an anonymous user tries to access something unpermitted, we redirect him to the HTTPS side, which triggers a proper login prompt. There are no more nonworking login forms popping up as in the old products.
• No longer does every user who has ever logged in clutter up your Users and Groups control panel.
• Grants all logged-in users the Authenticated role rather than the Member role, allowing site admins to treat the two separately. (Plone now supports this properly.) This means someone who authenticates to your web server doesn't necessarily get any privileges in your Plone site, making it safe to authenticate everyone; previously, when everyone got the Member role, certain default Plone workflows would grant them some capabilities.
• Twiddles Plone's login link as necessary, reducing the need for manual configuration
• Jettisons a lot of legacy code and requirements
• Increases test coverage and does away with doctests
• Is unapologetically a Plone product: gone are the architectural compromises needed to support plain Zope use. This is why we can have one product instead of two.