[Zope-dev] RE: [Zope-Annce] jcNTUserFolder 0.2.1 released

Jay, Dylan djay@avaya.com
Tue, 4 Dec 2001 17:53:43 +1100 

> -----Original Message-----
> From: Jephte CLAIN [mailto:Jephte.Clain@univ-reunion.fr]
> Sent: Tuesday, 4 December 2001 5:51 PM
> To: Jay, Dylan
> Cc: zope-dev@zope.org
> Subject: Re: [Zope-Annce] jcNTUserFolder 0.2.1 released
> 
> 
> "Jay, Dylan" wrote:
> > One way is to not replicate the challenge-response 
> functionatlity at all.
> this is the solution i have opted for. it has run now for two 
> years :-)
> the problem is Zope cannot be in remote user mode and in 
> normal mode at
> the same time. I think that setting up a zeo cluster (one 
> zope instance
> that is served through IIS, and is used to update content, 
> and one which
> has the normal behavior, and serves public content) could enable this,
> but I haven't tried yet.

There has to be some way round that. Is the REMOTE_USER variable still pased
in even if zope isn't in remote user mode? Couldn't a user folder be
implemented to use it?

> > Put Zope behind IIS in two spots. One which is protected 
> and thus elicits a
> > challenge/response and another that has IIS anoymous access 
> on it. Then get
> > the zope security machinery to alternate between the two 
> urls depending on
> > the security required.
> please elaborate: you mean that when access to
> http://iis.host.com/zope_anonymous.pcgi/protected_resource is 
> forbidden,
> zope automatically redirect the user to
> http://iis.host.com/zope_protected.pcgi/protected_resource?

Yes, that's exactly what I mean.

> > Then all you need is remote user mode in Zope to work
> > by allowing any remote user secure access. Perhaps remembering new
> > REMOTE_USER's so further roles can be associated with them.
> I don't understand :-(

I guess what I'm talking about is a user folder implementation that uses the
REMOTE_USER variable and contructs a user object around that. It assumes
that IIS has done it's job and the this REMOTE_USER is allowed in. It looks
to see if it's seen this user before. If not it creates the user with some
default role. If the user does exist with the same name as REMOTE_USER then
this user is used with all it's associated roles etc.

I had thought this is what jcNTUserFolder did but I couldn't get it to work
like this. I think what it does do is try to authenticate directly with the
nt domain server using a name and password supplied by the user?