[Zope] LoginManager and SSL client authentication

[Mayers, Philip J]

All,

LoginManager is now working well...

We've got a bespoke application for storing our (very large) user account
database here. One field a user can have is a crypted unix password (which
I'm currently using to authenticate users). The other thing that can exist
is the Subject or SubjectAltName of an SSL certificate suitable for client
web authentication.

I'd like some users (who are *not* technically strong) to have access to the
web frontend without having to type a password - they have had a visit from
a member of staff to install a client certificate, and just "point and go".
How would I go about making LoginManager authenticate them on the basis of
the certificate subject?

Apache will validate the certificate for me (by passing a valid CA cert to
it's configuration) and I'm running over PCGI, so by the time we get into
Zope, we can "TRUST" the SSL_CLIENT_S_DN and SSL_CLIENT_I_DN values passed
in. What's the next step?

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+