[Zope] Help on identification

Tiller, Michael (M.M.) mtiller at ford.com
Fri Dec 12 09:55:55 EST 2003


> From: J Cameron Cooper [mailto:jccooper at jcameroncooper.com]
> Subject: Re: [Zope] Help on identification
> 
> 
> Tiller, Michael (M.M.) wrote:
> 
> >I'm trying to setup a Zope server on our corporate intRAnet 
> set.  We have a
> >formal system of authenticating users.  It is centralized.  
> I don't want to
> >go into too much detail, but suffice it to say that I can 
> invoke a program
> >and it will tell me whether the person requesting my page has a valid
> >certificate and, if so, who the person is.
> >
> >What is the best scheme for integrating such a program into the Zope
> >authentication and identification process.  Key things are:
> >
> >1) The user does not provide a password, only the validity of the
> >certificate is checked.
>
> This detail I cannot really advise on. You're trying to get a 
> certificate? If it comes in REQUEST it's easy to get.

It comes in REQUEST.  There is no issue here, I just added this as
information.  The important point is that no password is required from the
user.

> >2) How do I invoke an external program from Zope?!?
> >  
> >
> Any filesystem-based code can do it, using the usual Python 
> calls. (This means External Methods and Products.)

Great.  I just wanted to confirm that.  Unfortunately, I don't have easy
access to the file system (although I'm not completely blocked) so I wanted
to know if there was a way around this.  In a sense, it is reassuring that
there isn't. :-)

> > 3) Are there any "out-of-the-box" user folders that can 
> > handle this?  I couldn't find any.  If not, what is the best
> > open ended product and what would I need to do?

> SimpleUserFolder

I looked into this, but it wants to feedback into the user source.  It wants
to be able to create new users and edit the roles and password of an
existing user.  I'm not in a position to provide any of this.

> ExtensibleUserFolder

exUserFolder says that the one method that is mandatory is "listOneUser"
which has to return the username, password and a list of roles for the user.
In our system, I already know the identity of the person.  I don't need to
authenticate them.

> PluggableUserFolder

This folder is quite generic.  Based on my reading of the "INTERNALS.txt"
file, I would need to provide my own identification method (which would fit
pretty simply into this), the authentication would really do nothing and the
authorization should be based on local user data (information about roles)
that would be maintained over and above our intranet
indentification/authentication system.  So this one is a possibility but a
possibility with a perhaps steep learning curve and lots of coding.

> all provide some simplified API for arbitrary user sources, 
> authorization, and authentication.

The closest thing I have found is "RemoteUser" which identifies a user based
on the REMOTE_USER environment variable.  This would work great if I had
access to REMOTE_USER, but it isn't clear that I will.  In any case, it
seems to function the way I want (it doesn't care about passwords, it just
grabs the user's identity and adds them to the user folder if they don't
exist already).

This is along the lines of what I want, but it is going to require me to
hack it a little bit in order to support our specific system.  I was hoping
for something that I might be able to configure "through the web".

I'll also look into how authentication is done with SSL since that is very
similar to what we do.  Thanks.

>           --jcc

--
Mike



More information about the Zope mailing list