[Zope] Automatic authenticating users in Zope behind IIS
Carsten Gehling
carsten@gehling.dk
Thu, 24 Jul 2003 10:58:19 +0200
I am going to use Zope to form an intranet for a TV station. The situation
is, that all users (using Windows 2000 workstation and Internet Explorer
5.5) are logging on to an Active Directory Server.
The intranet is to be implemented with Zope running behind IIS 5.0 (or the
newer one if it can solve the problem).
IIS and IE has a special function: If the directory security is set to ONLY
"NT Challenge/response" AND the intranet URL is set in IE to the security
level "Local Intranet", the user need not make a separate authentication to
enter the intranet. Instead IE sends to IIS the user details previously
entered when loggin onto the Active Directory Server. IIS then validates the
user against the same AD (and also checks with user permissions on the
directory/website).
If the user is authenticated and have permissions to execute scripts, the
script in question is called with an extra server variable called
"LOGON_USER". This work with both ASP and eg. PHP.
I would like this to work with Zope as well, so that Zope does not display
an authentication dialog box. I see two ways to do this, however I do not
know if it would work, or even how:
1) Zope is run behind IIS with PCGI. All users with access to the intranet
must be added to the permissions for the intranet's root rolder. Zope user
folders are made with the special LDAPUserFolder
2) Zope is run as a standalone server. Zope must simulate IIS's
challenge/response system. Zope user folders are made with the special
LDAPUserFolder
Have anyone tried this before? I'm still at the level of getting PCGI to
work properly. ;-)
Any help is much appreciated.
- Carsten