[Zope3-Users] Re: NTLM credential plugin

Chris McDonough chrism at plope.com
Wed Sep 13 11:47:12 EDT 2006 

The right thing to do here is probably to just use something like  
http://modntlm.sourceforge.net/ and trust the REMOTE_USER environment  
variable passed by Apache... let somebody else worry about  
maintaining it. ;-)  One strategy for doing this is described at  
http://plone.org/documentation/how-to/singlesignonwindowsdomains/ 
#step1 .

On Sep 13, 2006, at 9:37 AM, Philipp von Weitershausen wrote:

> Gary Poster wrote:
>> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
>>> Simon Hang wrote:
>>>> Hi,
>>>>  I'm thinging to write a NTLM credential plugin for zope3. But  
>>>> as I know, ntlm use 4-way handshake procedure, that means it  
>>>> needs two round-trips between server(zope3) and client(browser).
>>>>  When I look in the credential plugins, it has challenge mothed.  
>>>> But seems it is only design for 1 round-trip protocol. It can  
>>>> issue one challenge, and return to parent script.
>>>
>>> I don't see how the PAU only allows one "round-trip".
>> AIUI (I just looked up NTLM last night out of curiosity: see  
>> http://www.innovation.ch/personal/ronald/ntlm.html), the problem  
>> is that the 4 way handshake has to happen *within a single  
>> connection*.
>
> Ack. Ok, I didn't know that. Frankly, I personally don't care much  
> about NTLM anyways...
>
>> Apparently MS abuses HTTP to perform this.  Implementing it in  
>> pluggable auth made me scratch my head a bit, so I didn't reply.   
>> You would need to slurp the request, then push back to the  
>> response, then slurp the same request again, then push back to the  
>> response, then slurp one more time, and finally reply with the  
>> real request.  Describing the problem to Benji, he mentioned WSGI-- 
>> that does seem like the only way I can imagine this working, and  
>> that would be tricky enough, especially if you needed to reach  
>> into Zope for the managed credentials.  Once the WSGI plugin did  
>> its magic, it would need to put something in the WSGI request that  
>> a pluggable auth plugin was willing to accept as authentication.
>> On the bright side, if you did this with WSGI you might be able to  
>> offer this as a generic Python WSGI NTLM tool that required only  
>> minimal integration with the back end app server.
>
> Yes, WSGI definitely sounds like a good place to put this then.  
> Perhaps the WSGI middleware could "fake" a client that uses a more  
> standard authentication system (e.g. Basic Auth) to the WSGI  
> application, that way it'd be transparent to the WSGI application.  
> Not sure if that's possible with NTLM, though.
>
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>

More information about the Zope3-users mailing list