The kerberos ticket certainly *can* be put to "sensible use". An open source unix interoperability kit for using the Active Directory (AD) version of Kerberos is freely available from: http://msdn.microsoft.com/library/techart/kerberossamp.htm It is based on the same underlying software as the PAM modules. The AD "Public Key Cryptography for Initial Authentication in Kerberos." is based on IETF PKINIT draft 09: http://support.microsoft.com/support/kb/articles/Q248/7/53.ASP Other details on MS kerberos can be obtained by search for "kerberos" keyword on MSDN. Except for certain proprietary extensions, the technical specs for which have since been published elsewhere: http://www.gnosis.cx/download/kerbspec.pdf These extensions include a list of the resource and account groups that the principal is a member of, which enable very rapid and scalable use of finely grained AD permissions via only the kerberos "ticket" once the slow initial PKINT logon to obtain that ticket has been done. This is a vast improvement on simple LDAP authentication, which Microsoft attempted, but failed, to keep a "trade secret", presumably to shore up their monopoly against competition from Samba NT domain controllers etc. BTW I've done some detailed study of the AD permissions structure and it's relation to other things if anybody needs help with that side of it. Adding those specs to the freely available unix kit should allow any client on any platform to work with any services dependent on AD and thus avoid being locked out. In particular Zope (on any platform) could provide a web (including XML-RPC/SOAP etc) front end for both access and management by obtaining the client (from any platform) plaintext logon password over a secure transport, never storing it persistently unencrypted, but returning an encrypted kerberos ticket as a cookie for future access. I described a plausible approach for a similar problem with credit card numbers at: http://lists.codeit.com/pipermail/zcommerce/2000-June/000247.html The ticket will automatically expire (and can automatically be renewed) giving all the usual kerberos safeguards, provided the transport is secure and there is no unencrypted persistent storage within Zope. The list of groups can then work well with the Zope acquisition based access control system. Separately, freely available Kereberos and OpenLDAP implementations can be extended to eliminate any need for Win2K AD itself by adding the single valued binary attribute "ntSecurityDescriptor" in the same format as AD. The Samba project ought to be very interested in that: http://marc.theaimsgroup.com/?l=samba-ntdom&w=2&r=1&s=active+directory&q=b So should DC for Zope together with ActiveState that already has expertize in ADSI/COM. (Likewise has major implications for distributed COM+ version of Mozilla XPCOM). http://www.activestate.com/Products/Komodo/PyXPCOM/index.html Zope's ZODB/ZEO also provides an excellent OODBMS "aggressively optimized" for a high ratio of reads to writes that is very suitable for the "active" side of an Active Directory (using BerekelyDB storage similar to that used in OpenLDAP). ZEO is also looking at multi-master replication issues (though the approach looks a bit naive to me). TransWarp is very relevant to the stuff below. http://www.zope.org//Members/pje/Wikis/TransWarp/HomePage PostgreSQL provides an excellent ORDBMS more suitable for the "search" side of a directory than ZODB. It will very soon include python as a backend stored procedure language and has a sophisticated "rules" system. OpenLDAP already provides an excellent front end, including SASL authentication: http://www.openldap.org/software/roadmap.html ACS 4 provides an Oracle based web application server framework with LDAP integration. The kernel has a finely grained permissions system, with a role/party/group framework compatible with the "Accountability" pattern and an object model compatible with the "Domain Object Model" pattern. This is very appropriate for a sophisticated LDAP directory backend (as well as being necessary for the industrial strength RDBMS essential for serious Zope ecommerce). http://developer.arsdigita.com/doc/kernel-doc.html http://www.martinfowler.com/ap2/index.html http://www.martinfowler.com/apsupp/accountability.pdf http://st-www.cs.uiuc.edu/users/johnson/DOM.html ACS4 also provides an excellent workflow engine: http://developer.arsdigita.com/doc/acs-workflow/ This can add the missing "strategy" side of the Domain Object Model together with Transwarp. Zope can provide much better UI and management stuff to work with the engine. It can also be a basis for reliable distributed workflow/transactions/replication: http://www.distribution.cs.ncl.ac.uk/projects/WorkflowSystem/index.html This is a better approach for some types of database replication than that currently proposed for ZEO or the usual approaches described in Chapter 8 of: http://research.microsoft.com/pubs/ccontrol/ ACS4 is being ported to PostgreSQL by OpenACS which has previously ported ACS3: http://openacs.org/4/ http://openacs.org/bboard/q-and-a.tcl?topic_id=12&topic=OpenACS%204%2e0%20De sign Initial version of kernel already out. Adapting the unix interoperability kit for AD to also use the kerberos extensions for AD groups and permissions and provide a cross platform solution like (and with) OpenSSL is a small project. OpenSSL should have any needed expertize: http://www.openssl.org Public Key Certificate Authority software is also available, including for python: http://www.pyca.de/ A number of better approaches to trust management are well known: http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html Unfortunately that minor adaptation of kerberos clients is peripheral to the main focus of most of the projects mentioned, but could well be a key link for bringing them together to both knock Microsoft off it's perch and provide more decentralized trust and directory services necessary for the rapid explosion of peer to peer networked web services. I sure hope somebody is working on it. If anybody has any relevant links or email addresses please email them directly as well as posting here (I only scan occasional messages from the Zope list). BTW, while I'm at it with all the links above, I'd like to draw attention to some earlier postings re the need for Zope and ACS to combined for viable ecommerce: http://lists.codeit.com/pipermail/zcommerce/2000-June/000265.html http://lists.codeit.com/pipermail/zcommerce/2000-June/000259.html http://lists.codeit.com/pipermail/zcommerce/2000-June/000257.html Right now arsDigita is going through a major upheaval and it looks like OpenACS will provide an umbrella home for various ports of ACS 4, including python/Zope as well as their main orientation to Tcl. The data model of ACS4 is now much better separated from the Tcl side and they are doing a Query Dispatcher for supporting multiple RDBMS ports (with some tools in python for extracting SQL from the Tcl code completely ;-). http://developer.arsdigita.com/commerce-project-central/ http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=000b5M&topic%5fid =web%2fdb&topic= http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=000ZGz&topic%5fid =web%2fdb&topic= A Zopista involved in OpenACS has mentioned working on port of data models of ecommerce module. That could result in a Zope port if there is active support from DC. http://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0001AP&topic_id=12&to pic=OpenACS%204%2e0%20Design At the same time there seems to be some problems with an AOLserver fork that could result in greater interest in using Zserver (don't know much about that - just speculating). If June 2000 was "premature", perhaps this is a better time to hope for some serious DC interest both in enabling an industrial strength ecommerce and workflow system for Zope and in integrating Zope with enterprise systems dependent on AD (if not in eventually replacing AD ;-) -----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Mayers, Philip J Sent: Sunday, March 25, 2001 9:12 AM To: 'zope@zope.org' Subject: RE: [Zope] kerberos ? Yes - There's a pam module for Python, and with PythonScripts, External methods and a LoginManager setup, I got it working. Quite slow, which is fine if you only authenticate once, but not if you do it on every HTTP request. (Note: I never bothered to check if LoginManager does once-only or per-request HTTP auth - I only did it as a five minute test, and a quick check on the machine shows that the logs have rotated out :o() The PAM module for Python can be found at www.python.org, go to Search, in the Vaults of Parnassus link type PAM. I'm not sure the ticket you got could be put to any sensible use though... Maybe... Hmm, just had a thought... Cheers, Phil -----Original Message----- From: Darcy Clark To: zope@zope.org Sent: 24/03/01 22:29 Subject: [Zope] kerberos ? has anyone tried to get Zope working with kerberos authentication ? Darcy _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )