Thanks Chris,
 
But REMOTE_USER environment variable is only available in CGI mode. It's okay for zope3, but no working for zope3.
 
I know there is a way to do similar things: use apache 2.0.x and mod_auth_sspi and pass the information either use http head or part of URL. But it's a not very nice solution. That's why I started to look an alternative solution. But it seems impossible to implement in zope3 use auth-plugin.
 
Maybe it's time to stop thinging about this. :(
 
Simon
 
On 9/14/06, Chris McDonough <[EMAIL PROTECTED]> wrote:
The right thing to do here is probably to just use something like
http://modntlm.sourceforge.net/ and trust the REMOTE_USER environment
variable passed by Apache... let somebody else worry about
maintaining it. ;-)  One strategy for doing this is described at
http://plone.org/documentation/how-to/singlesignonwindowsdomains/
#step1 .

On Sep 13, 2006, at 9:37 AM, Philipp von Weitershausen wrote:

> Gary Poster wrote:
>> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
>>> Simon Hang wrote:
>>>> Hi,
>>>>  I'm thinging to write a NTLM credential plugin for zope3. But
>>>> as I know, ntlm use 4-way handshake procedure, that means it
>>>> needs two round-trips between server(zope3) and client(browser).
>>>>  When I look in the credential plugins, it has challenge mothed.
>>>> But seems it is only design for 1 round-trip protocol. It can
>>>> issue one challenge, and return to parent script.
>>>
>>> I don't see how the PAU only allows one "round-trip".
>> AIUI (I just looked up NTLM last night out of curiosity: see
>> http://www.innovation.ch/personal/ronald/ntlm.html), the problem
>> is that the 4 way handshake has to happen *within a single
>> connection*.
>
> Ack. Ok, I didn't know that. Frankly, I personally don't care much
> about NTLM anyways...
>
>> Apparently MS abuses HTTP to perform this.  Implementing it in
>> pluggable auth made me scratch my head a bit, so I didn't reply.
>> You would need to slurp the request, then push back to the
>> response, then slurp the same request again, then push back to the
>> response, then slurp one more time, and finally reply with the
>> real request.  Describing the problem to Benji, he mentioned WSGI--
>> that does seem like the only way I can imagine this working, and
>> that would be tricky enough, especially if you needed to reach
>> into Zope for the managed credentials.  Once the WSGI plugin did
>> its magic, it would need to put something in the WSGI request that
>> a pluggable auth plugin was willing to accept as authentication.
>> On the bright side, if you did this with WSGI you might be able to
>> offer this as a generic Python WSGI NTLM tool that required only
>> minimal integration with the back end app server.
>
> Yes, WSGI definitely sounds like a good place to put this then.
> Perhaps the WSGI middleware could "fake" a client that uses a more
> standard authentication system (e.g. Basic Auth) to the WSGI
> application, that way it'd be transparent to the WSGI application.
> Not sure if that's possible with NTLM, though.
>
> _______________________________________________
> Zope3-users mailing list
> Zope3-users@zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>

_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Reply via email to