[Zope3-Users] Re: NTLM credential plugin

Simon Hang hangzhiyun at gmail.com
Thu Sep 14 01:50:02 EDT 2006

Thanks Chris,

But REMOTE_USER environment variable is only available in CGI mode. It's
okay for zope3, but no working for zope3.

I know there is a way to do similar things: use apache 2.0.x and
mod_auth_sspi and pass the information either use http head or part of URL.
But it's a not very nice solution. That's why I started to look an
alternative solution. But it seems impossible to implement in zope3 use

Maybe it's time to stop thinging about this. :(


On 9/14/06, Chris McDonough <chrism at plope.com> wrote:
> The right thing to do here is probably to just use something like
> http://modntlm.sourceforge.net/ and trust the REMOTE_USER environment
> variable passed by Apache... let somebody else worry about
> maintaining it. ;-)  One strategy for doing this is described at
> http://plone.org/documentation/how-to/singlesignonwindowsdomains/
> #step1 .
> On Sep 13, 2006, at 9:37 AM, Philipp von Weitershausen wrote:
> > Gary Poster wrote:
> >> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
> >>> Simon Hang wrote:
> >>>> Hi,
> >>>>  I'm thinging to write a NTLM credential plugin for zope3. But
> >>>> as I know, ntlm use 4-way handshake procedure, that means it
> >>>> needs two round-trips between server(zope3) and client(browser).
> >>>>  When I look in the credential plugins, it has challenge mothed.
> >>>> But seems it is only design for 1 round-trip protocol. It can
> >>>> issue one challenge, and return to parent script.
> >>>
> >>> I don't see how the PAU only allows one "round-trip".
> >> AIUI (I just looked up NTLM last night out of curiosity: see
> >> http://www.innovation.ch/personal/ronald/ntlm.html), the problem
> >> is that the 4 way handshake has to happen *within a single
> >> connection*.
> >
> > Ack. Ok, I didn't know that. Frankly, I personally don't care much
> > about NTLM anyways...
> >
> >> Apparently MS abuses HTTP to perform this.  Implementing it in
> >> pluggable auth made me scratch my head a bit, so I didn't reply.
> >> You would need to slurp the request, then push back to the
> >> response, then slurp the same request again, then push back to the
> >> response, then slurp one more time, and finally reply with the
> >> real request.  Describing the problem to Benji, he mentioned WSGI--
> >> that does seem like the only way I can imagine this working, and
> >> that would be tricky enough, especially if you needed to reach
> >> into Zope for the managed credentials.  Once the WSGI plugin did
> >> its magic, it would need to put something in the WSGI request that
> >> a pluggable auth plugin was willing to accept as authentication.
> >> On the bright side, if you did this with WSGI you might be able to
> >> offer this as a generic Python WSGI NTLM tool that required only
> >> minimal integration with the back end app server.
> >
> > Yes, WSGI definitely sounds like a good place to put this then.
> > Perhaps the WSGI middleware could "fake" a client that uses a more
> > standard authentication system (e.g. Basic Auth) to the WSGI
> > application, that way it'd be transparent to the WSGI application.
> > Not sure if that's possible with NTLM, though.
> >
> > _______________________________________________
> > Zope3-users mailing list
> > Zope3-users at zope.org
> > http://mail.zope.org/mailman/listinfo/zope3-users
> >
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope3-users/attachments/20060914/72ab7d89/attachment.htm

More information about the Zope3-users mailing list