[Zope-PAS] First cut at PAS for Zope 3

Mark Hammond mhammond at skippinet.com.au
Tue Oct 5 20:40:36 EDT 2004

> > Consider a plugin which uses an external user store - eg,
> > LDAP, and a site with multiple PAS folders where each folder
> > contains a
> > mythical LDAP plugin.
> > Each of these PAS plugins is configured to use the same
> > underlying LDAP store.
> Why would you use multiple PAS instances in this case?

I'm still very much a Zope newbie, so this may not make sense.  I'm also
entering the Zope world by way of Plone, so it may simply be exposing my CMF
view of the world.

Consider a single Zope site with 2 discrete areas - "sales" and "marketing".
Both want to use the same LDAP user store (ie, their org's store), but want
to be able to assign different "role mappings" to these sites.

I assumed that site would setup 2 PAS folders - one in each of the areas.
Both sites would have similarly configured LDAP stores, but would have the
mapping of LDAP groups into roles configured differently.

Maybe the correct configuration in that case would be *three* PAS folders -
one in the root with the LDAP store, and one in each of the areas with only
group mappings configured?  The magic of acquisition is new to me too, so
this may even work now :)

> > If the LDAP plugin knew a globally unique ID for the user
> > (as provided by
> > the external LDAP store), would it be able to use that ID
> > as a principal ID?
> Yes, but you would have to use empty prefixes for each of the
> PAS instances.

Which would also mean every other PAS plugin in both those instances would
be forced to use empty prefixes?  Or is there a way for a single plugin to
say that only it does (or doesn't) want a prefix?  That way you could have a
"global" LDAP plugin interact correctly with 2 different, local
ZODBUserManager stores.

> > Can we re-use this ID for better integration with the
> > underlying store?

> Not sure what that means. IDs are required to be unicode
> strings.  Beyond
> that, it's up to the plugin to decide what the ids are.

I was just restating my other question - "can I re-use that ID across
different PAS/plugin instances?".  I believe the answer is above "yes, so
long as you have an empty prefix"

> > * The login_name - the name they type into a login box
> >   along with their password.
> Yup. Of course, that's up to the plugin.  There might be
> systems that don't use login names, or that use more than one.
> (I use a system that uses two login names, one a company name, and
> the other a company-specific user name.)

That makes sense, but doesn't quite fit the Zope2 PAS implementation.
PropertiedUser defines an optional "login" param to the constructor and
supplies a few methods implementing "BasicUser's public interface" -
including getUserName()

The rest of your message makes sense.

I'll try and draft a proposal for tightening up PAS for Zope2 in this
regard - I believe that simply means making "login" non-optional in the user
constructor and insisting the plugins provide the value.  The plugin itself
can make the decision that id==login, but no one else can.  Without
clarifying the status of getUserName() in PAS for Zope2, it is hard to argue
the current implementation needs tweaking in that regard.



More information about the Zope-PAS mailing list