<div>Thanks Chris,</div>
<div> </div>
<div>But REMOTE_USER environment variable is only available in CGI mode. It's okay for zope3, but no working for zope3.</div>
<div> </div>
<div>I know there is a way to do similar things: use apache 2.0.x and mod_auth_sspi and pass the information either use http head or part of URL. But it's a not very nice solution. That's why I started to look an alternative solution. But it seems impossible to implement in zope3 use auth-plugin.
</div>
<div> </div>
<div>Maybe it's time to stop thinging about this. :(</div>
<div> </div>
<div>Simon<br> </div>
<div><span class="gmail_quote">On 9/14/06, <b class="gmail_sendername">Chris McDonough</b> <<a href="mailto:chrism@plope.com">chrism@plope.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">The right thing to do here is probably to just use something like<br><a href="http://modntlm.sourceforge.net/">
http://modntlm.sourceforge.net/</a> and trust the REMOTE_USER environment<br>variable passed by Apache... let somebody else worry about<br>maintaining it. ;-) One strategy for doing this is described at<br><a href="http://plone.org/documentation/how-to/singlesignonwindowsdomains/">
http://plone.org/documentation/how-to/singlesignonwindowsdomains/</a><br>#step1 .<br><br>On Sep 13, 2006, at 9:37 AM, Philipp von Weitershausen wrote:<br><br>> Gary Poster wrote:<br>>> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
<br>>>> Simon Hang wrote:<br>>>>> Hi,<br>>>>> I'm thinging to write a NTLM credential plugin for zope3. But<br>>>>> as I know, ntlm use 4-way handshake procedure, that means it
<br>>>>> needs two round-trips between server(zope3) and client(browser).<br>>>>> When I look in the credential plugins, it has challenge mothed.<br>>>>> But seems it is only design for 1 round-trip protocol. It can
<br>>>>> issue one challenge, and return to parent script.<br>>>><br>>>> I don't see how the PAU only allows one "round-trip".<br>>> AIUI (I just looked up NTLM last night out of curiosity: see
<br>>> <a href="http://www.innovation.ch/personal/ronald/ntlm.html">http://www.innovation.ch/personal/ronald/ntlm.html</a>), the problem<br>>> is that the 4 way handshake has to happen *within a single<br>>> connection*.
<br>><br>> Ack. Ok, I didn't know that. Frankly, I personally don't care much<br>> about NTLM anyways...<br>><br>>> Apparently MS abuses HTTP to perform this. Implementing it in<br>>> pluggable auth made me scratch my head a bit, so I didn't reply.
<br>>> You would need to slurp the request, then push back to the<br>>> response, then slurp the same request again, then push back to the<br>>> response, then slurp one more time, and finally reply with the
<br>>> real request. Describing the problem to Benji, he mentioned WSGI--<br>>> that does seem like the only way I can imagine this working, and<br>>> that would be tricky enough, especially if you needed to reach
<br>>> into Zope for the managed credentials. Once the WSGI plugin did<br>>> its magic, it would need to put something in the WSGI request that<br>>> a pluggable auth plugin was willing to accept as authentication.
<br>>> On the bright side, if you did this with WSGI you might be able to<br>>> offer this as a generic Python WSGI NTLM tool that required only<br>>> minimal integration with the back end app server.<br>
><br>> Yes, WSGI definitely sounds like a good place to put this then.<br>> Perhaps the WSGI middleware could "fake" a client that uses a more<br>> standard authentication system (e.g. Basic Auth) to the WSGI
<br>> application, that way it'd be transparent to the WSGI application.<br>> Not sure if that's possible with NTLM, though.<br>><br>> _______________________________________________<br>> Zope3-users mailing list
<br>> <a href="mailto:Zope3-users@zope.org">Zope3-users@zope.org</a><br>> <a href="http://mail.zope.org/mailman/listinfo/zope3-users">http://mail.zope.org/mailman/listinfo/zope3-users</a><br>><br><br>_______________________________________________
<br>Zope3-users mailing list<br><a href="mailto:Zope3-users@zope.org">Zope3-users@zope.org</a><br><a href="http://mail.zope.org/mailman/listinfo/zope3-users">http://mail.zope.org/mailman/listinfo/zope3-users</a><br></blockquote>
</div><br>