Hi! On Mon, Dec 11, 2006 at 12:32:26AM -0800, Rachel Florentine wrote: > 80Hi; > What follows is kind of where the conversation dropped off last week. Could > someone pick up the ball and give me a little direction? > TIA, > Rachel
Sorry for letting it drop after asking all those questions, I did not get near my lists mailbox in the meantime. I will skip the LDAP vs. MySQL issue and concentrate on authentication. I understand that the user accounts will be used exclusively for the site, do not exist previously, and may reside wherever it is convenient. You reject passwords over encrypted connections. The involved components are User Agent ---- zope site ---- LDAP the User Agent being a web browser. You do not want to restrict read access to the document as long as the accessor is authenticated. Correct so far? If so then there is a problem that I cannot solve: The challenge-response Authentication mechanism between User Agent and LDAP must exchange messages, and the web site in the middle must forward them back and forth, including protocol conversion between whatever the User Agent implements (HTTP digest authentication?) and the SASL library in the LDAP. I would guess that there is no ready solution for this but I admit that I know little of web site programming and the libraries that might be available there. Most likely, what you can have is either: User Agent --- login,password --- zope site --- c/r --- LDAP i.e. password authentication against the site which in turn uses the password to initiate a SASL bind against the LDAP, or: User Agent --- c/r --- zope site --- secret lookup --- LDAP i.e. c/r authentication against the site which fetches the necessary secret information from the LDAP. In the latter case the site would use a single LDAP account to fetch each secret and access the documents. The first approach is very probably easier to implement. Oh, and do you need to create the accounts through the site or is an offline tool acceptable? One cannot, to my knowledge, create the secrets for file-based SASL c/r authentication through the LDAP. Sincerely, Ralph Rößner --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
