[Grok-dev] grok and ldap auth

Wed Sep 17 00:50:55 EDT 2008

On Sep 16, 2008, at 7:41 PM, Reed O'Brien wrote:

> On Sep 16, 2008, at 4:39 AM, Jens Adner wrote:
>
>> Hello,
>>
>> I'm new here. I have some experience with zope2 and plone and ldap
>> auth. I'm locking for a framework to create a small webapp for
>> authenticating our students against the global ldap database.
>>
>> We changed from perl and php to python in our system programming and
>> I'm happy  with python, so grok seems to be a good choice for this
>> task.
>>
>> Maybe anyone  can help me in programming a ldap interface for grok
>> auth. I tried some of the example codes for grok, but now I need some
>> help for the first steps.
>>
>> I read about ldappas and ldapadapter, but I don't know how to use  
>> them
>> in zope3 (grok) to make a view restricted for ldap users.
>>
>> I'n the near future, i18n and mysql data models are in the point of
>> interest.
>>
>> Sorry for my english
>
> Sorry for my only english:(
>
> You might look at GUM
>
> http://www.bcgsc.ca/scm/hg.repo/gum/
>
> It uses ldappas and ldapadapter. I have not used it but maybe you can
> get some ideas there.
>

Some of the interesting knowledge I learned while making GUM you might  
find relevant:

  - Usage of z3c.recipe.ldap to configure an ldap instance to use for  
testing and development.

    I use Mac OS X for dev, it has OpenLDAP already on the system, so  
z3c.recipe.ldap just needs to
    configure an instance of it. However, my buildout.cfg is a bit Mac- 
specific.

    I spent a fair bit of time with the rootpw setting, since it  
seemed to ignore this attribute unless it
    was encrypted (although the OpenLDAP docs I read seemed to  
indicate otherwise).

  - Getting python-ldap to install as part of the buildout process was  
finicky. I  ended up making binary eggs,
    tossing them into an Apache index directory and informing buildout  
about this location using the find-links option.
    You'll need to adjust the bcgsc.ca URL to prefix it with www.  
because it seems our DNS config is broken ATM for the non-www domain :(
    Or make your own python-ldap eggs.

  - Determining if a user is allowed to access a view is done with an  
event subscriber, the code is in src/gum/ldapapp.py.
    My subscriber is fairly specific to the needs of GUM (and it could  
use a little more clean-up), but it serves as an OK example.
    Note that the IPrincipalCreated is fired everytime a user logs in,  
and Principal == User terminology-wise. The zope.securitypolicy
    package has documentation for the role and permission APIs.

@grok.subscribe(IPrincipalCreated)
def update_principal_info_from_ldap(event):
     "Update the principal with information from LDAP"
     principal = event.principal
     app = grok.getSite()
     uid = principal.id.split('.')[-1]
     user = app['users'][uid]
     principal.title = user.cn
     principal.uid = uid
     principal.groups.extend([u'gum.Admin'])

     # grant roles to permissions
     rpm = IRolePermissionManager(app)
     rpm.grantPermissionToRole(u'gum.Add', u'gum.Admin')
     rpm.grantPermissionToRole(u'gum.Edit', u'gum.Admin')

     # grant the Admin role to members of the ldap_admin_group
     admin_group = app['groups'][app.ldap_admin_group]
     if uid in admin_group.uids:
         prm = IPrincipalRoleManager(app)
         prm.assignRoleToPrincipal(u'gum.Admin', u'gum.ldap.%s' % uid)

   You'll also need to make Permissions to grant Roles to:

class Add(grok.Permission):
     grok.name(u'gum.Add')

    And then a View can be protected with the require directive:

class AddUser(grok.AddForm):
     grok.require(u'gum.Add')

Maybe there are better ways to do this? But hopefully it'll get you  
started, if you get stuck somewhere specific, feel free to ask more  
questions.