I've been playing around with trying to enable SSL client certificate authentication for Zenoss. The trivial case is to front-end Zope/Zenoss with Apache + mod_ssl and require valid client certificates for access to the Zenoss site. However, I want fine grained controls over what privileges users have and handling user access in Apache does not expose roles, etc from Zenoss.
The other option that I have been playing with is using Zope + M2crypto with ZServerSSL for secure zope and using the RemoteUserFolder for handling SSL client certificate authentication. This has the benefit of bringing the access controls closer to the Zenoss application. However, this seems to require quite a bit of mucking with the code of ZenModel/UserSettings.py to get things to function correctly. Unfortunately I haven't figured out a way to have PAS and RemoteUserFolder coexist, and the current Zenoss code makes assumptions that you are using PAS + PAS plugins for authentication. I WAS successful in getting SSL client certificates + Apache + mod_ssl + mod_proxy + mod_rewrite + ZServerSSL + Zenoss + RemoteUserFolder to work correctly. I'm just worried about having to maintain the modifications to the Zenoss code on every new Zenoss release. Should it be easy/possible to write a custom PAS plugin that handles SSL client certificate authentication and automatic creation of user accounts? Has anyone else tried SSL client certificate authentication to the degree I have? Am I crazy?! -------------------- m2f -------------------- Read this topic online here: http://community.zenoss.com/forums/viewtopic.php?p=12319#12319 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
