[Zope-dev] RE: [Zope-Annce] jcNTUserFolder 0.2.1 released

Jay, Dylan djay@avaya.com
Tue, 4 Dec 2001 16:21:05 +1100


One way is to not replicate the challenge-response functionatlity at all.
Put Zope behind IIS in two spots. One which is protected and thus elicits a
challenge/response and another that has IIS anoymous access on it. Then get
the zope security machinery to alternate between the two urls depending on
the security required. Then all you need is remote user mode in Zope to work
by allowing any remote user secure access. Perhaps remembering new
REMOTE_USER's so further roles can be associated with them.

I've tried doing this in the past but I think my install of IIS was screwed
and I couldn't use either jcNTUserFolder or GUF to allow any REMOTE_USER in,
so I gave up.

Would my idea work, or is it flawed?

> -----Original Message-----
> From: Jephte CLAIN [mailto:Jephte.Clain@univ-reunion.fr]
> Sent: Tuesday, 4 December 2001 3:40 PM
> To: Jay, Dylan
> Cc: zope-dev@zope.org
> Subject: Re: [Zope-Annce] jcNTUserFolder 0.2.1 released
> 
> 
> "Jay, Dylan" wrote:
> > Can I ask you a question? Something I;ve tried to do in the 
> past with
> > jcNTUserFolder (maybe not tried hard enough) is this. I 
> want all my users to
> > be authenticated via challenge-response mechanism such that 
> no one has to
> > enter a username or password.
> > >From what I can work out jcNTUserFolder doesn't actually 
> help with this at
> > all, or have I missed something?
> I wrote jcNTUserFolder just to do that, you know :-)
> But, currently, you have to go through IIS. I think there is 
> an howto on
> http://www.zope.org/Members/jephte
> 
> I have tried to look at challenge/response authentication, 
> but it is so
> hard and so much undocumented I left it. it would require to change
> Medusa (IIS and IE have a no-close connection when in 
> challenge/response
> mode. it seems it must be so at least for the 
> challenge/response part of
> the protocol; I suppose it would require too much time if they have to
> authenticate on each connection :), and to change Zope (you don't have
> the password, just a hash, that you must ask the PDC to validate for
> you, unless someone know how the hash is generated), and to have a
> compatible User Folder.
> 
> however, if someone can point me to a good source of 
> documentation about
> that, and some example code, I may want to give it a try again.
> 
> regards,
> jephte.clain@univ-reunion.fr
>