[Zope] new proposal with Verisign CA (was radius authenticati on instead of flatfile or userdb?) flatfile or userdb?)

Rob Page rob.page@digicool.com
Fri, 10 Sep 1999 07:04:58 -0400


> New project ideas:
> 
> 1) create web request forms
>   a)primary page requests userid (everyone has a userid)
>   b)look up userid in Netscape LDAP database (Does LDAP adapter work
> with Netscape LDAP?)

The LDAP specification defines the API.  Recent visual inspection
strongly suggests that the LDAP Adapter (i.e., the underlying Python
extension) can use the Netsape LDAP libraries.  However, I tried this
very, very briefly.  Unfortunately, Netscape packages their LDAP
libraries in a TOTALLY different way then the OpenLDAP project.  I spent
3.5 seconds tinkering with the makefile and gave up.  Of couse, the LDAP
adapter works with both OpenLDAP and Netscape Directory Server LDAP
servers.

>   c)display user information - give options for request forms
>   d)user chooses and fills out request form
> 
> 2) create methods to operate on data in request form
>   a)move request form information to database (is it better to stay in
> zope or move to sql database?)
>   b)notify authorizers they have forms to authorize
>   c)authorizer logs into zope with certificate from Verisign (does
> anyone know if apache/stronghold or other will work with Verisign CA?)
>   d)authorizer is presented with a queue of forms to authorize
>   e)authorizer signature/certificate is stored along with 
> form data for
> proof of authorization (again, is it better to stay in zope with this
> information or move to sql.  This information will be very 
> critical and
> should be stored in the safest location with regular backups.)

I think this is HARD.  If your use of "authorizer signature" means a
digital signature of the requisition, you're in for some pain.  Zope has
no organic crypto (save the nifty hashed password stuff).  Getting and
talking to an X509 cert will be some work.

> Since I am not a Python programmer, how hard will this be to 
> accomplish?

uh, pretty hard.
 
> Can it be accomplished without Python - just dtml and some Zclasses?

uh, nope.
 
> Roughly, how long will this possibly take (I will be learning all the
> new Zope 2 stuff along the way.  Zope 1 stuff is not too 
> difficult.) if
> this is the only project that I am coding?

Learn python, learn ssleay, believe that crypto is your friend, etc.,
etc.. if you've got to learn this first, it might be a looong project.
 
> Would these assumptions work - use apache/stronghold for certificate
> stuff and pass this through to zope for login;  use portal toolkit to
> present authorization queue to authorizer when he logs in to zope?

Yes and no.  Certainly redhat's secure server and stronghold can use
Verisign certs.  However, I'd bet a nickel that all they would do by
default is pass a securely bound Distinguished Name (DN) to the Zope
process.  You're not likely (although I could easily be wrong) to get
any of the crypto stuff (e.g., public key).
 
> I have not looked at portal toolkit.  How are users stored?

In the Zope ODB as member objects.
 
> If possible, how would I keep the zope root user from authorizing
> someone's queue or forms?

This would be tough as it would require you to tackle all of the nasty
two-key crypto stuff.  Could you put the server in a locked room with
armed guards?  :^)

--Rob