ZServerSSL X509_REMOTE_USER
Zope is commonly run behind another HTTP server, e.g., Apache or IIS.
Zope's standard authentication mechanism is HTTP Basic Authentication.
Quoting Zope 2's doc/WEBSERVER.txt, "Sometimes you may prefer to handle
authentication outside Zope, for example if your web server already does
complex authorization [...]" This is done via
CGI's REMOTE_USER request
meta-variable, i.e., the web server authenticates the client, sets
REMOTE_USER appropriately, and Zope uses that value to handle permissions
for those authenticated users.
Dylan Jay extracted Zope's REMOTE_USER code to create
RemoteUserFolder.
As Dylan describes, "An example of how this might be useful is the use of IIS
internal windows authentication. IIS can be set to handle authentication of
users against their current windows domain login, thus not requiring any
further login to the website. With RemoteUserFolder installed, any user
with a domain login will be automatically be a Zope authenticated user. In
addition with RemoteUserFolder it is possible to set a default set of roles
for any user of a particular NT domain."
ZServerSSL's X509_REMOTE_USER mode integrates X.509 client
certificates and RemoteUserFolder: Run Zope in REMOTE_USER mode and
configure ZServerSSL's HTTPS server to require client X.509
certificates. When a user connects, ZServerSSL handles certificate
verification and sets REMOTE_USER to the client certificate's subject
distinguished name if the client certificate is accepted. In this case,
the user names in the RemoteUserFolder are structured strings such as
/C=SG/O=M2Crypto/CN=M2Crypto Client. (But still strings!)
Just in case I'm being unclear: In X509_REMOTE_USER mode
ZServerSSL is handling the authentication; there is no external web server.
(A bit of history: Back in 2000 when X509_REMOTE_USER mode was first released
(scroll to the end of the linked page), RemoteUserFolder didn't exist. At
that time I wrote a simple workalike tool that mapped the subject
distinguished name to a Zope username; this program is
<m2crypto>/demo/Zope/utilities/x509_user.py.)
Hi Pheng Siong,
It was probably me who posted the question to you on Client certs. :) Thanks for the quick response!
I am still confused as to how this is supposed to work. Perhaps I should describe what I am trying to do: I would like to have Plone running to require Client Certificates as users are logging in, i.e. users will require uid/password + client certificate to use Plone resources.
I am beginning to suspect that it is either one or the other. i.e. either certificate identification, or uid/password. Would that be correct?
~Daniel
Daniel,
When you put down a requirement like that, you don't get told, "This is how..." You are first asked, "Why? What's your threat model?" ;-)
Wrt ZServerSSL specifically, if you enable X509_REMOTE_USER mode, REMOTE_USER is set to the client cert subject DN automatically; if you don't, clients certs aren't required and REMOTE_USER is always unset.
If you want to require client certs but not set REMOTE_USER you'll need to modify the source.
You do realise this means that the client cert info is thrown away after a successful verification. Which implies you don't want to trust the identity that is certified by said client cert, which begs the question: Why do the extra work of client cert verification if you don't trust what the cert supposedly certifies?
Another way of looking at this: If the client certs says the other end is user A, but the username/password says it is user B, your proposed setup will see user B and doesn't know/care that the cert said user A.
Ok, I think I get a better picture now. So Zope's REMOTE_USER mode uses the Windows Domain login credentials as the first factor of authentication, followed by the client certificate(requested by ZServerSSL) as the second factor.
My aim is to establish a two factor authentication login to Plone. The threat model is that I was originally thinking that it had to be implemented entirely in Zope for both factors. Looks like I will have to depend on the windows domain login for the first factor. Thanks for that clarification.
Wrt turning on ZServerSSL's X509_REMOTE_USER:
1. For Zope's REMOTE_USER mode: I presume it would be simply a matter of making sure that the 'inituser' file is altered to reflect "WindowsDomain\UserID:"? I read in jephte's HOWTO for jcNTUserFolder that that is the way it is done to turn on REMOTE_USER mode for Zope.
2. To configure ZServerSSL to require client certs: I am currently using Zope 2.7.2, and the latest M2Crypto. That means z2s.py does not exist. However, I found similar syntax for ssl_ctx.set_verify() in datatypes.py(in install_home/python/lib/ZServer). Would this be where the said editing should be done for Zope 2.7.x?
One last thing: Does x509_user.py still work? It seems like if it works, then there is no need to use RemoteUserFolder. I will test it out in a few days.
Will currently work on grabbing the Windows Domain Login credentials to user in the REMOTE_USER mode(if I'm right about what's happening as described above in 1 and 2). Will report if I have any significant findings.
> So Zope's REMOTE_USER mode uses the Windows
> Domain login credentials as the first factor of
> authentication, followed by the client
> certificate(requested by ZServerSSL) as the second
> factor.
No and no.
Zope's REMOTE_USER mode depends on the web server to set that CGI variable. It is entirely up to the web server how that is done. _For_example_, IIS can set that to Windows domain login credentials. _For_example_, ZServerSSL can set it to the client cert subject DN.
ZServerSSL does _not_ require IIS to front it. It runs as-is.
> [ inituser, jcNTUserFolder, REMOTE_USER mode ]
That may be the way for jcNTUserFolder. For ZServerSSL it is "-x" for Zope 2.6, and the appropriate config in zope.conf for Zope 2.7.
I wrote earlier that it is common to front Zope with another web server, e.g., IIS or Apache. Zope itself has a web server called ZServer. In some situations it is good enough to use Zope directly via ZServer, i.e., no IIS nor Apache. ZServerSSL extends ZServer to do SSL, so one may access Zope over HTTPS directly via ZServerSSL, i.e., no IIS nor Apache needed for the SSL functionality.
> [ Using x509_user.py ]
Don't. Use RemoteUserFolder instead.
HTC.
I guess the only thing I need to do then is to make sure that zope.conf has the following for 2.7:
x509-remote-user on
Well, it doesn't work with just that setting. Only the server cert is pushed to the client browser to establish SSL. But no request for client cert from ZServer. Perhaps I am missing another setting in ZServer, but I have no idea what.
There is no trackback.