From: J Cameron Cooper [mailto:jccooper@jcameroncooper.com] Subject: Re: [Zope] Help on identification
Tiller, Michael (M.M.) wrote:
I'm trying to setup a Zope server on our corporate intRAnet set. We have a formal system of authenticating users. It is centralized. I don't want to go into too much detail, but suffice it to say that I can invoke a program and it will tell me whether the person requesting my page has a valid certificate and, if so, who the person is.
What is the best scheme for integrating such a program into the Zope authentication and identification process. Key things are:
1) The user does not provide a password, only the validity of the certificate is checked.
This detail I cannot really advise on. You're trying to get a certificate? If it comes in REQUEST it's easy to get.
It comes in REQUEST. There is no issue here, I just added this as information. The important point is that no password is required from the user.
2) How do I invoke an external program from Zope?!?
Any filesystem-based code can do it, using the usual Python calls. (This means External Methods and Products.)
Great. I just wanted to confirm that. Unfortunately, I don't have easy access to the file system (although I'm not completely blocked) so I wanted to know if there was a way around this. In a sense, it is reassuring that there isn't. :-)
3) Are there any "out-of-the-box" user folders that can handle this? I couldn't find any. If not, what is the best open ended product and what would I need to do?
SimpleUserFolder
I looked into this, but it wants to feedback into the user source. It wants to be able to create new users and edit the roles and password of an existing user. I'm not in a position to provide any of this.
ExtensibleUserFolder
exUserFolder says that the one method that is mandatory is "listOneUser" which has to return the username, password and a list of roles for the user. In our system, I already know the identity of the person. I don't need to authenticate them.
PluggableUserFolder
This folder is quite generic. Based on my reading of the "INTERNALS.txt" file, I would need to provide my own identification method (which would fit pretty simply into this), the authentication would really do nothing and the authorization should be based on local user data (information about roles) that would be maintained over and above our intranet indentification/authentication system. So this one is a possibility but a possibility with a perhaps steep learning curve and lots of coding.
all provide some simplified API for arbitrary user sources, authorization, and authentication.
The closest thing I have found is "RemoteUser" which identifies a user based on the REMOTE_USER environment variable. This would work great if I had access to REMOTE_USER, but it isn't clear that I will. In any case, it seems to function the way I want (it doesn't care about passwords, it just grabs the user's identity and adds them to the user folder if they don't exist already). This is along the lines of what I want, but it is going to require me to hack it a little bit in order to support our specific system. I was hoping for something that I might be able to configure "through the web". I'll also look into how authentication is done with SSL since that is very similar to what we do. Thanks.
--jcc
-- Mike