Re: [Zope] LoginManager and SSL client authentication
On Fri, 15 Dec 2000, Mayers, Philip J wrote: We've got a bespoke application for storing our (very large) user account database here. One field a user can have is a crypted unix password (which I'm currently using to authenticate users). The other thing that can exist is the Subject or SubjectAltName of an SSL certificate suitable for client web authentication. Apache will validate the certificate for me (by passing a valid CA cert to it's configuration) and I'm running over PCGI, so by the time we get into Zope, we can "TRUST" the SSL_CLIENT_S_DN and SSL_CLIENT_I_DN values passed in. What's the next step? What might possibly help you: * Look into mod_ssl's FakeBasicAuth feature * Look at those How-Tos: http://www.zope.org/Members/unfo/apache_zserver_ssl http://www.zope.org/Members/Roug/certificate_mapping Regards, Stefan ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] LoginManager and SSL client authentication
On Fri, Dec 15, 2000 at 11:42:23AM -, Mayers, Philip J wrote: How would I go about making LoginManager authenticate them on the basis of the certificate subject? Apache will validate the certificate for me (by passing a valid CA cert to it's configuration) and I'm running over PCGI, so by the time we get into Zope, we can "TRUST" the SSL_CLIENT_S_DN and SSL_CLIENT_I_DN values passed in. What's the next step? ZServerSSL did this with Zope in "remote user" mode. Upon successful client cert verification, ZServerSSL maps the subject DN to a Zope username and sets REMOTE_USER accordingly. Zope's REMOTE_USER machinery took care of the rest. This was on 2.1.x. I've not had time to test ZServerSSL with 2.2.x. ZServerSSL is here: http://www.post1.com/home/ngps/zope/zssl Cheers. -- Ng Pheng Siong [EMAIL PROTECTED] * http://www.post1.com/home/ngps ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )