[Zope] Authentication with IIS --> Zope through REMOTE_USER: at last!
Ava
ava@dde974.equipement.gouv.fr
Tue, 28 Dec 1999 11:39:32 +0400
[my english is broken, but you may read the entire message anyway. it is
very interesting]
Hello,
I asked some days ago how to make IIS handle authentication and pass the
information back to Zope through REMOTE_USER.
Rob Page said that if IIS doesn't pass REMOTE_USER, I could write an ISAPI
filter to stuff the value in the request. He's right: it is easy to do (I
wrote the filter in 10mn !)
*but* I then realized that IIS in fact passes REMOTE_USER.... *after* the
authentication process. here is how it works in challenge/response
authentication mode:
- if the cgi program (for instance, Zope through pcgi-wrapper) says 401
Unauthorized *OR* the NT user (including the anonymous user set in IIS) has
not the read/execute permission on the ressource, neither the current user
(identified with the challenge/response protocol) has the proper rights, the
browser triggers the 'identify yourself sucker' dialog box.
- the chat is beetween the browser and IIS for the moment, and the browser
keep asking for a username and a password until IIS realize that the user
identified by the browser has the read/execute permission on the ressource.
- *then* it calls the cgi program with either AUTH_USER or LOGON_USER
environment variable set (it is still unclear what variable is set and when.
I have to test for both for the authentication process to work)
- if the cgi program is happy with AUTH_USER/LOGON_USER, IIS calls it with
REMOTE_USER variable set.
it sounds very odd, because the cgi seems to be called only once, but it
works that way: I patched lib/python/AccessControl/User.py to test for
AUTH_USER and LOGON_USER in remote user mode, and it works now in remote
user mode:
------------------------------8<------------------------------
--- User.py.orig Wed Nov 03 05:33:10 1999
+++ User.py Tue Dec 28 07:03:26 1999
@@ -432,6 +432,10 @@
e=request.environ
if e.has_key('REMOTE_USER'):
name=e['REMOTE_USER']
+ elif e.has_key('AUTH_USER'):
+ name=e['AUTH_USER']
+ elif e.has_key('LOGON_USER'):
+ name=e['LOGON_USER']
else:
for ob in self.getUsers():
domains=ob.getDomains()
------------------------------8<------------------------------
Once this patch has been applied, there's another trick to do: NT users are
written that way: ServerComputerName\UserName
*so* your access file must be something like:
NTServer\superuser:
where superuser is a user created on NTServer (a PDC or a standalone server)
and the user you create in the user folder *must* be in the Server\UserName
format.
And voila! IIS handles authentication and passes it back to Zope. You
favorite user folder must support remote user mode though.
I plan to review NTUserFolder and if it doesn't support remote user mode, I
want to integrate the feature in it. That way, I don't even need to manually
add user to any user folder!
Please send any comment to minf7@educ.univ-reunion.fr
This document may turn into an howto, once I get sufficient time
Regards,
Jephte CLAIN