[Grok-dev] grok and ldap auth
kevin at bud.ca
Wed Sep 17 00:50:55 EDT 2008
On Sep 16, 2008, at 7:41 PM, Reed O'Brien wrote:
> On Sep 16, 2008, at 4:39 AM, Jens Adner wrote:
>> I'm new here. I have some experience with zope2 and plone and ldap
>> auth. I'm locking for a framework to create a small webapp for
>> authenticating our students against the global ldap database.
>> We changed from perl and php to python in our system programming and
>> I'm happy with python, so grok seems to be a good choice for this
>> Maybe anyone can help me in programming a ldap interface for grok
>> auth. I tried some of the example codes for grok, but now I need some
>> help for the first steps.
>> I read about ldappas and ldapadapter, but I don't know how to use
>> in zope3 (grok) to make a view restricted for ldap users.
>> I'n the near future, i18n and mysql data models are in the point of
>> Sorry for my english
> Sorry for my only english:(
> You might look at GUM
> It uses ldappas and ldapadapter. I have not used it but maybe you can
> get some ideas there.
Some of the interesting knowledge I learned while making GUM you might
- Usage of z3c.recipe.ldap to configure an ldap instance to use for
testing and development.
I use Mac OS X for dev, it has OpenLDAP already on the system, so
z3c.recipe.ldap just needs to
configure an instance of it. However, my buildout.cfg is a bit Mac-
I spent a fair bit of time with the rootpw setting, since it
seemed to ignore this attribute unless it
was encrypted (although the OpenLDAP docs I read seemed to
- Getting python-ldap to install as part of the buildout process was
finicky. I ended up making binary eggs,
tossing them into an Apache index directory and informing buildout
about this location using the find-links option.
You'll need to adjust the bcgsc.ca URL to prefix it with www.
because it seems our DNS config is broken ATM for the non-www domain :(
Or make your own python-ldap eggs.
- Determining if a user is allowed to access a view is done with an
event subscriber, the code is in src/gum/ldapapp.py.
My subscriber is fairly specific to the needs of GUM (and it could
use a little more clean-up), but it serves as an OK example.
Note that the IPrincipalCreated is fired everytime a user logs in,
and Principal == User terminology-wise. The zope.securitypolicy
package has documentation for the role and permission APIs.
"Update the principal with information from LDAP"
principal = event.principal
app = grok.getSite()
uid = principal.id.split('.')[-1]
user = app['users'][uid]
principal.title = user.cn
principal.uid = uid
# grant roles to permissions
rpm = IRolePermissionManager(app)
# grant the Admin role to members of the ldap_admin_group
admin_group = app['groups'][app.ldap_admin_group]
if uid in admin_group.uids:
prm = IPrincipalRoleManager(app)
prm.assignRoleToPrincipal(u'gum.Admin', u'gum.ldap.%s' % uid)
You'll also need to make Permissions to grant Roles to:
And then a View can be protected with the require directive:
Maybe there are better ways to do this? But hopefully it'll get you
started, if you get stuck somewhere specific, feel free to ask more
More information about the Grok-dev