Re: [Zope3-Users] Re: NTLM credential plugin
Good news. I believe I found a way to do NTLM 4-way handshake with zope3 and using PAU's plugin. But I need to modify zope3's http server a little bit, to let zope3 support HTTP/1.1 persistent connection. Currently I can 1. send NTLM challenge 2. receive NTLM type-1 message 3. send NTLM type-2 message 4. receive NTLM type-3 message. Only thing to do is decode type-3 message. My concern is I need to modify zope3's http server, althogh only add several lines. Is there anybody can validate my modifcation and implement the change in proper zope3's way? Currently I modified zope.server.http.httptask.HTTPTask, method prepareResponseHeaders(). to let this function also check accumulated_headers before decides to close the connection. Sorry, I left the modified code in my other pc, can't post the detail. Anybody can help? Thanks, SimonOn 9/15/06, Simon Hang [EMAIL PROTECTED] wrote: Hi, Why zope3 can not maintain active connections? Is this because zope3 is using asynchronous socket(asyncore.py) to serve the request? Errr... why zope3 is doing this? Won't this method cause overhead? Sorry for lots of questions, but I don't understand. Thanks, Simon On 9/13/06, Gary Poster [EMAIL PROTECTED] wrote: On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote: Simon Hang wrote: Hi, I'm thinging to write a NTLM credential plugin for zope3. But as I know, ntlm use 4-way handshake procedure, that means it needs two round-trips between server(zope3) and client(browser). When I look in the credential plugins, it has challenge mothed. But seems it is only design for 1 round-trip protocol. It can issue one challenge, and return to parent script. I don't see how the PAU only allows one round-trip.AIUI (I just looked up NTLM last night out of curiosity: see http:// www.innovation.ch/personal/ronald/ntlm.html ), the problem is that the4 way handshake has to happen *within a single connection*.Apparently MS abuses HTTP to perform this.Implementing it inpluggable auth made me scratch my head a bit, so I didn't reply.You would need to slurp the request, then push back to the response, thenslurp the same request again, then push back to the response, thenslurp one more time, and finally reply with the real request.Describing the problem to Benji, he mentioned WSGI--that does seem like the only way I can imagine this working, and that would betricky enough, especially if you needed to reach into Zope for themanaged credentials.Once the WSGI plugin did its magic, it wouldneed to put something in the WSGI request that a pluggable auth plugin was willing to accept as authentication.On the bright side, if you did this with WSGI you might be able tooffer this as a generic Python WSGI NTLM tool that required onlyminimal integration with the back end app server. I'm glad I'm not tasked with this. :-DIt sounds interesting,though.Also, maybe I misunderstand: read the link if you want tocome up with your own interpretation.Gary___ Zope3-users mailing listZope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: NTLM credential plugin
Gary Poster wrote: http://www.innovation.ch/personal/ronald/ntlm.html), the problem is that the 4 way handshake has to happen *within a single connection*. Apparently MS abuses HTTP to perform this. Hmmm, I'm not sure this is true. One project I work on has 10,000+ users a day authenticating via NTLM and I'm not convinced we maintain an http connection for the whole dance. Where you will run into problems is if you have a high volume of users. The DCs can be slow to respond and so you end up with lots of app server threads tied up waiting for them. Since Zope has a limited number of threads, this is an issue. Someone on the project is currently building a mod_python thingy to do this auth and bounce back with a cookie that Zope then trusts since Apache can spawn off new threads at will... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: NTLM credential plugin
Chris McDonough wrote: The right thing to do here is probably to just use something like http://modntlm.sourceforge.net/ and trust the REMOTE_USER environment variable passed by Apache... let somebody else worry about maintaining it. ;-) 'cept it don't work ;-) (well, not in the aforementioned 10,000+ user project I mentioned before) cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Re: NTLM credential plugin
Martijn Pieters wrote: On 9/13/06, Simon Hang [EMAIL PROTECTED] wrote: I'm thinging to write a NTLM credential plugin for zope3. But as I know, ntlm use 4-way handshake procedure, that means it needs two round-trips between server(zope3) and client(browser). Have you looked at Zope Corp's zc.winauth package? http://svn.zope.org/zc.winauth/trunk/src/zc/winauth/ That's an authenticator plug-in to talk to the Windows directory service, so that users can log into Zope using their Windows logins. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: NTLM credential plugin
On 9/13/06, Philipp von Weitershausen [EMAIL PROTECTED] wrote: That's an authenticator plug-in to talk to the Windows directory service, so that users can log into Zope using their Windows logins. Which tells you how much *I* looked at it. ;) The original thread announcing zc.winauth mentioned NTLM somewhere (as in 'Firefox does NTLM too'), hence my misunderstanding. Mea Culpa! -- Martijn Pieters ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Re: NTLM credential plugin
Simon Hang wrote: Hi, I'm thinging to write a NTLM credential plugin for zope3. But as I know, ntlm use 4-way handshake procedure, that means it needs two round-trips between server(zope3) and client(browser). When I look in the credential plugins, it has challenge mothed. But seems it is only design for 1 round-trip protocol. It can issue one challenge, and return to parent script. I don't see how the PAU only allows one round-trip. The PAU will use the credentials-plugin to challenge the user when an Unauthorized exception occurs. 1. The first time your challenge method is called, you set the WWW-Authenticate: NTLM header (like the HTTP Basic Auth plug-in sets the WWW-Authenticate: Basic header). 2. Then the client sends the type 1 message which you extract in extractCredentials and raise Unauthorized *again*. 3. THat means your challenge method is called *again*. That time you'll se tthe WWW-Authenticate header with the type 2 message. 4. Then the client sends the type 3 message back which you'll extract in extractCredentials. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: NTLM credential plugin
On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote: Simon Hang wrote: Hi, I'm thinging to write a NTLM credential plugin for zope3. But as I know, ntlm use 4-way handshake procedure, that means it needs two round-trips between server(zope3) and client(browser). When I look in the credential plugins, it has challenge mothed. But seems it is only design for 1 round-trip protocol. It can issue one challenge, and return to parent script. I don't see how the PAU only allows one round-trip. AIUI (I just looked up NTLM last night out of curiosity: see http:// www.innovation.ch/personal/ronald/ntlm.html), the problem is that the 4 way handshake has to happen *within a single connection*. Apparently MS abuses HTTP to perform this. Implementing it in pluggable auth made me scratch my head a bit, so I didn't reply. You would need to slurp the request, then push back to the response, then slurp the same request again, then push back to the response, then slurp one more time, and finally reply with the real request. Describing the problem to Benji, he mentioned WSGI--that does seem like the only way I can imagine this working, and that would be tricky enough, especially if you needed to reach into Zope for the managed credentials. Once the WSGI plugin did its magic, it would need to put something in the WSGI request that a pluggable auth plugin was willing to accept as authentication. On the bright side, if you did this with WSGI you might be able to offer this as a generic Python WSGI NTLM tool that required only minimal integration with the back end app server. I'm glad I'm not tasked with this. :-D It sounds interesting, though. Also, maybe I misunderstand: read the link if you want to come up with your own interpretation. Gary ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: NTLM credential plugin
Gary Poster wrote: On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote: Simon Hang wrote: Hi, I'm thinging to write a NTLM credential plugin for zope3. But as I know, ntlm use 4-way handshake procedure, that means it needs two round-trips between server(zope3) and client(browser). When I look in the credential plugins, it has challenge mothed. But seems it is only design for 1 round-trip protocol. It can issue one challenge, and return to parent script. I don't see how the PAU only allows one round-trip. AIUI (I just looked up NTLM last night out of curiosity: see http://www.innovation.ch/personal/ronald/ntlm.html), the problem is that the 4 way handshake has to happen *within a single connection*. Ack. Ok, I didn't know that. Frankly, I personally don't care much about NTLM anyways... Apparently MS abuses HTTP to perform this. Implementing it in pluggable auth made me scratch my head a bit, so I didn't reply. You would need to slurp the request, then push back to the response, then slurp the same request again, then push back to the response, then slurp one more time, and finally reply with the real request. Describing the problem to Benji, he mentioned WSGI--that does seem like the only way I can imagine this working, and that would be tricky enough, especially if you needed to reach into Zope for the managed credentials. Once the WSGI plugin did its magic, it would need to put something in the WSGI request that a pluggable auth plugin was willing to accept as authentication. On the bright side, if you did this with WSGI you might be able to offer this as a generic Python WSGI NTLM tool that required only minimal integration with the back end app server. Yes, WSGI definitely sounds like a good place to put this then. Perhaps the WSGI middleware could fake a client that uses a more standard authentication system (e.g. Basic Auth) to the WSGI application, that way it'd be transparent to the WSGI application. Not sure if that's possible with NTLM, though. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: NTLM credential plugin
The right thing to do here is probably to just use something like http://modntlm.sourceforge.net/ and trust the REMOTE_USER environment variable passed by Apache... let somebody else worry about maintaining it. ;-) One strategy for doing this is described at http://plone.org/documentation/how-to/singlesignonwindowsdomains/ #step1 . On Sep 13, 2006, at 9:37 AM, Philipp von Weitershausen wrote: Gary Poster wrote: On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote: Simon Hang wrote: Hi, I'm thinging to write a NTLM credential plugin for zope3. But as I know, ntlm use 4-way handshake procedure, that means it needs two round-trips between server(zope3) and client(browser). When I look in the credential plugins, it has challenge mothed. But seems it is only design for 1 round-trip protocol. It can issue one challenge, and return to parent script. I don't see how the PAU only allows one round-trip. AIUI (I just looked up NTLM last night out of curiosity: see http://www.innovation.ch/personal/ronald/ntlm.html), the problem is that the 4 way handshake has to happen *within a single connection*. Ack. Ok, I didn't know that. Frankly, I personally don't care much about NTLM anyways... Apparently MS abuses HTTP to perform this. Implementing it in pluggable auth made me scratch my head a bit, so I didn't reply. You would need to slurp the request, then push back to the response, then slurp the same request again, then push back to the response, then slurp one more time, and finally reply with the real request. Describing the problem to Benji, he mentioned WSGI-- that does seem like the only way I can imagine this working, and that would be tricky enough, especially if you needed to reach into Zope for the managed credentials. Once the WSGI plugin did its magic, it would need to put something in the WSGI request that a pluggable auth plugin was willing to accept as authentication. On the bright side, if you did this with WSGI you might be able to offer this as a generic Python WSGI NTLM tool that required only minimal integration with the back end app server. Yes, WSGI definitely sounds like a good place to put this then. Perhaps the WSGI middleware could fake a client that uses a more standard authentication system (e.g. Basic Auth) to the WSGI application, that way it'd be transparent to the WSGI application. Not sure if that's possible with NTLM, though. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: NTLM credential plugin
On Sep 13, 2006, at 11:47 AM, Chris McDonough wrote: The right thing to do here is probably to just use something like http://modntlm.sourceforge.net/ and trust the REMOTE_USER environment variable passed by Apache... let somebody else worry about maintaining it. ;-) One strategy for doing this is described at http://plone.org/documentation/how-to/singlesignonwindowsdomains/ #step1 . +1! Good to file away. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users