[Zope] Re: problems with NTUserFolder.
"Jay, Dylan" a écrit : > > I'm a little confused over this. > From your previous mail I understood that jcNTUserFolder was to be used only > behind IIS. It interpreted the REMOTE_USER var passed in after > challenge/response authentication by IIS and made this into a Zope user. > Now your talking about jcForceAuth and saying that users login using basic > authentication with their NT username and password?? > > Under what circumstances can you use challenge/response vs basic > authentication? My apologies for taking so long to respond. Our mail server had some problems... Well, Zope can do both authentication method (but not at the same time!): 'standard' basic authentication mode or 'remote user' authentication mode. It depends on the content of the access file. This is documented somewhere in Zope documentation. In basic authentication mode, the browser gives Zope the username and the password, and ask if it is correct. If Zope says 'no', the browser asks again until the user give the right username/password pair. Zope can only do the BASIC authentication. In remote user authentication mode, the web server on top of zope (apache or IIS, or whatever) *does* the authentication (it checks the username/password). Once the user is authenticated, the web server passes Zope the REMOTE_USER variable, which is the username of the authenticated user. My product is compatible with the two schemes. However, Zope is unable to do challenge/response authentication, so you have to put it under a web server that is capable of doing such authentication (ie, IIS). If you use my product with vanilla Zope, your users can still authenticate by using their nt username/password. This difference is: - behind IIS, Zope *always* get the user infos, and they are not aware of it. - vanilla zope does not brings the authentication dialog if content is anonymous, so your users can still browse the site while being anonymous. This is where my jcForceAuth product come in, because it ask the users to authenticate even if they view anonymous content. hope it's clear now. jephte clain [EMAIL PROTECTED] ps: I don't speak/write english very well. So if the above is still unclear, perhaps someone on the list can better explain. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] RE: problems with NTUserFolder.
I'm a little confused over this. >From your previous mail I understood that jcNTUserFolder was to be used only behind IIS. It interpreted the REMOTE_USER var passed in after challenge/response authentication by IIS and made this into a Zope user. Now your talking about jcForceAuth and saying that users login using basic authentication with their NT username and password?? Under what circumstances can you use challenge/response vs basic authentication? > -Original Message- > From: CLAIN Jephte [mailto:[EMAIL PROTECTED]] > Sent: Saturday, May 27, 2000 12:19 AM > To: Jay, Dylan > Cc: '[EMAIL PROTECTED]' > Subject: Re: problems with NTUserFolder. > > > "Jay, Dylan" a écrit : > > I see how it works now. I installed jcNTUSerFolder but > couldn't get it to > > work. I thought it did the challenge response stuff for me. > I didn't realize > > it had to go behind IIS. I'll give it a try. > The challenge/response protocol authentication, as far as I know, is > specific to microsoft. that's why you have to use IIS for > example to do > the authenticatio for you. > I don't know of another browsers / ftp clients / mail clients that can > perform that kind of authentication, beside those from microsoft (IE, > Outlook, ...) > > You may also have a look at > http://www.zope.org/Members/jephte/jcForceAuth for a way to > force users > to authenticate. they have to identify themselves to browse the site, > but at least they can use their own nt account/password. be warned > though: passwords are sent unencrypted over the wire with basic > authentication. > > regards, > jephte clain > [EMAIL PROTECTED] > ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: problems with NTUserFolder.
On Fri, May 26, 2000 at 06:19:22PM +0400, CLAIN Jephte wrote: > I don't know of another browsers / ftp clients / mail clients that can > perform that kind of authentication, beside those from microsoft (IE, > Outlook, ...) Fetchmail can do NTLM challenge/response, and is OSS. Someone may want to look into that to see if it can be ported to, for example, Zope. I imagine that NTLM over HTTP is pretty much the same as NTLM over IMAP. All you need is a protocol analyser to find out. Fetchmail homepage: http://www.tuxedo.org/~esr/fetchmail/ -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | The Open Source Web Application Server - ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: problems with NTUserFolder.
"Jay, Dylan" a écrit : > I see how it works now. I installed jcNTUSerFolder but couldn't get it to > work. I thought it did the challenge response stuff for me. I didn't realize > it had to go behind IIS. I'll give it a try. The challenge/response protocol authentication, as far as I know, is specific to microsoft. that's why you have to use IIS for example to do the authenticatio for you. I don't know of another browsers / ftp clients / mail clients that can perform that kind of authentication, beside those from microsoft (IE, Outlook, ...) You may also have a look at http://www.zope.org/Members/jephte/jcForceAuth for a way to force users to authenticate. they have to identify themselves to browse the site, but at least they can use their own nt account/password. be warned though: passwords are sent unencrypted over the wire with basic authentication. regards, jephte clain [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] RE: problems with NTUserFolder.
I see how it works now. I installed jcNTUSerFolder but couldn't get it to work. I thought it did the challenge response stuff for me. I didn't realize it had to go behind IIS. I'll give it a try. > -Original Message- > From: Jephte CLAIN [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 25, 2000 8:14 PM > To: Jay, Dylan > Cc: '[EMAIL PROTECTED]' > Subject: Re: problems with NTUserFolder. > > > "Jay, Dylan" a écrit : > > > > I can't seem to get your product to work the way I want. > I'll tell you what > > I'm after and perhaps you can tell me where I'm going wrong > or if indeed > > your product can do it at all. > > > > I have a group of users who are all part of the same domain > as I am on. Its > > the department domain. I want to have these people > recognized by my website > > seemlessly. I know this can be done with NT challenge > response if you are > > using ie as your client. I want to do this in zope such > that users who enter > > the site are automatically authenticated and appriate > permissions for them > > set. These would be zope permission set inside zope, > nothing to do with NT > > permissions. > > > > How do I do this? > Well, I wrote jcNTUserFolder to do exactly this :-) > > you may have a look at > http://www.zope.org/Members/jephte/HOWTO/IIS_and_Zope_in_REMOT E_USER_mode a few comments: - you have to install the jcNTUserFolder *before* you put Zope in REMOTE user mode. - zope in its current form can't handle REMOTE user authentication mode together with standard authentication mode. When you install Zope as as pcgi process to get through IIS, it is the *only* way to be authenticated and get, for example, to the management screens. When you install jcNTUserFolder as the root user folder, you have to choose the NT user that will be mapped to the super user. The first time, you have to log with that user. Note that this 'super user' needn't be a privileged one under NT. regards, jephte clain [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: problems with NTUserFolder.
"Jay, Dylan" a écrit : > > I can't seem to get your product to work the way I want. I'll tell you what > I'm after and perhaps you can tell me where I'm going wrong or if indeed > your product can do it at all. > > I have a group of users who are all part of the same domain as I am on. Its > the department domain. I want to have these people recognized by my website > seemlessly. I know this can be done with NT challenge response if you are > using ie as your client. I want to do this in zope such that users who enter > the site are automatically authenticated and appriate permissions for them > set. These would be zope permission set inside zope, nothing to do with NT > permissions. > > How do I do this? Well, I wrote jcNTUserFolder to do exactly this :-) you may have a look at http://www.zope.org/Members/jephte/HOWTO/IIS_and_Zope_in_REMOTE_USER_mode a few comments: - you have to install the jcNTUserFolder *before* you put Zope in REMOTE user mode. - zope in its current form can't handle REMOTE user authentication mode together with standard authentication mode. When you install Zope as as pcgi process to get through IIS, it is the *only* way to be authenticated and get, for example, to the management screens. When you install jcNTUserFolder as the root user folder, you have to choose the NT user that will be mapped to the super user. The first time, you have to log with that user. Note that this 'super user' needn't be a privileged one under NT. regards, jephte clain [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )