[Zope] new proposal with Verisign CA (was radius authenticati on instead of flatfile or userdb?)

Rob Page rob.page@digicool.com
Sat, 11 Sep 1999 09:16:43 -0400


>  I believe that zope might be an option for this application, but
x.509 is a
> definite requirement.  I don't know any requirements for the  x.509
other
> than it will be used for authentication.
> 
> Oh yeah, our company uses Netscape web servers also.  I listed
> apache/stronghold because I have a bad habit of relating everything to
> open source products.

Well, in this case, Zope CAN use x509 authentication!!!

Netscape Enterprise Servers (ES) have a regular expression-like
capability of matching Distinguished Names (DNs) to userids.  This is
useful because (a) by default Netscape ES stores user data in an
internal db file keyed on userid AND (b) once bound the userid can be
passed to Zope in the environment (using PCGI).

The harder part would be getting access to ANYTHING other than the
userid.  This would require some work in C with the NSAPI.  However,
I've lurked on some of Netscape's snews: groups and looked a lot at
Developer's Edge and there is some nice (i.e., well-commented!) sample
code to look inside a cert once it's been authenticated.

Good luck,
--Rob