Automatic authenticating users in Zope behind IIS
I am going to use Zope to form an intranet for a TV station. The situation is, that all users (using Windows 2000 workstation and Internet Explorer 5.5) are logging on to an Active Directory Server. The intranet is to be implemented with Zope running behind IIS 5.0 (or the newer one if it can solve the problem). IIS and IE has a special function: If the directory security is set to ONLY "NT Challenge/response" AND the intranet URL is set in IE to the security level "Local Intranet", the user need not make a separate authentication to enter the intranet. Instead IE sends to IIS the user details previously entered when loggin onto the Active Directory Server. IIS then validates the user against the same AD (and also checks with user permissions on the directory/website). If the user is authenticated and have permissions to execute scripts, the script in question is called with an extra server variable called "LOGON_USER". This work with both ASP and eg. PHP. I would like this to work with Zope as well, so that Zope does not display an authentication dialog box. I see two ways to do this, however I do not know if it would work, or even how: 1) Zope is run behind IIS with PCGI. All users with access to the intranet must be added to the permissions for the intranet's root rolder. Zope user folders are made with the special LDAPUserFolder 2) Zope is run as a standalone server. Zope must simulate IIS's challenge/response system. Zope user folders are made with the special LDAPUserFolder Have anyone tried this before? I'm still at the level of getting PCGI to work properly. ;-) Any help is much appreciated. - Carsten
Carsten Gehling wrote at 2003-7-24 10:58 +0200:
... Excellent description on Windows authentication with IE and IIS ...
Thank you very much for this! It may be very useful for me in the future...
1) Zope is run behind IIS with PCGI. All users with access to the intranet must be added to the permissions for the intranet's root rolder. Zope user folders are made with the special LDAPUserFolder 2) Zope is run as a standalone server. Zope must simulate IIS's challenge/response system. Zope user folders are made with the special LDAPUserFolder
Have anyone tried this before? I'm still at the level of getting PCGI to work properly. ;-)
You should go for 1) and use a specialized "UserFolder" that authenticates a user based on "LOGON_USER". There are myriads of UserFolders around. Maybe, some of them already does this. When I remember right, "NTUserFolder" (a specialized UserFolder authenticating against the Windows user database) can do this. However, I usually avoid to use MS products and never used IIS (or "NTUserFolder") myself. Dieter
On Fri, Jul 25, 2003 at 01:45:54AM +0200, Dieter Maurer wrote:
Carsten Gehling wrote at 2003-7-24 10:58 +0200:
1) Zope is run behind IIS with PCGI. All users with access to the intranet must be added to the permissions for the intranet's root rolder. Zope user folders are made with the special LDAPUserFolder 2) Zope is run as a standalone server. Zope must simulate IIS's challenge/response system. Zope user folders are made with the special LDAPUserFolder
You should go for 1) and use a specialized "UserFolder" that authenticates a user based on "LOGON_USER".
There is RemoteUserFolder, which docu says it works with IIS's setting REMOTE_USER. I've not used RemoteUserFolder with IIS, but I've used it with my ZServerSSL which sets REMOTE_USER from the client certificate's subject DN, i.e., to support cert-based authentication over SSL. Works fine on Un*x, and I think it tested ok on Windows, too. -- Ng Pheng Siong <ngps@netmemetic.com> http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL
Ng Pheng Siong wrote:
I've not used RemoteUserFolder with IIS, but I've used it with my ZServerSSL which sets REMOTE_USER from the client certificate's subject DN, i.e., to support cert-based authentication over SSL. Works fine on Un*x, and I think it tested ok on Windows, too.
If none of these work out of the box, consider using SimpleUserFolder and scripting or subclassign to get your exact requirements... Chris
I got it working with RemoteUserFolder. Only it would be nice to get group associations from the Active Directory server and use these as Roles. I probably need to add some LDAP support to RemoteUserFolder. The is an LDAPUserFolder, but I don't think it supports the REMOTE_USER authentication. - Carsten
-----Oprindelig meddelelse----- Fra: zope-admin@zope.org [mailto:zope-admin@zope.org]Pa vegne af Chris Withers Sendt: 31. juli 2003 16:52 Til: Ng Pheng Siong Cc: Dieter Maurer; Carsten Gehling; Zope@Zope.Org Emne: Re: [Zope] Automatic authenticating users in Zope behind IIS
Ng Pheng Siong wrote:
I've not used RemoteUserFolder with IIS, but I've used it with my ZServerSSL which sets REMOTE_USER from the client certificate's subject DN, i.e., to support cert-based authentication over SSL. Works fine on Un*x, and I think it tested ok on Windows, too.
If none of these work out of the box, consider using SimpleUserFolder and scripting or subclassign to get your exact requirements...
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Carsten Gehling wrote:
I got it working with RemoteUserFolder. Only it would be nice to get group associations from the Active Directory server and use these as Roles.
Groups != Roles, in several subtle ways...
I probably need to add some LDAP support to RemoteUserFolder. The is an LDAPUserFolder, but I don't think it supports the REMOTE_USER authentication.
Probably not. You could always look at SimpleUserFolder and script or subclass the exact required functionality yourself :-) cheers, Chris
participants (4)
-
Carsten Gehling -
Chris Withers -
Dieter Maurer -
Ng Pheng Siong