Well, if the user needs to login (to ldap backend) first to clear authentication to the rewriting proxy, I would suggest to:
- create a new siteaccess to be used for browsing internal-from-outside
- lock it via apache rules so that it cannot be accessed from internal net but only from the IP of the proxy
- do not activate ldap login on this siteaccess, as ldap is checked by the proxy, but rather - create a custom SSO handler in eZ Publish, that checks if the proxy has set some appropriate credentials for the user. This can be done generally by having the proxy set some cookie into the browser session or other stuff
You are correct about your assumption: if you just activate ldap logon, user will be asked to login twice.
Principal Consultant International Business
Member of the Community Project Board
