[Zope-PAS] First cut at PAS for Zope 3

Jim Fulton jim at zope.com
Wed Oct 6 07:03:02 EDT 2004

Mark Hammond wrote:
>>>Consider a plugin which uses an external user store - eg,
>>>LDAP, and a site with multiple PAS folders where each folder
>>>contains a
>>>mythical LDAP plugin.
>>>Each of these PAS plugins is configured to use the same
>>>underlying LDAP store.
>>Why would you use multiple PAS instances in this case?
> I'm still very much a Zope newbie, so this may not make sense.  I'm also
> entering the Zope world by way of Plone, so it may simply be exposing my CMF
> view of the world.
> Consider a single Zope site with 2 discrete areas - "sales" and "marketing".
> Both want to use the same LDAP user store (ie, their org's store), but want
> to be able to assign different "role mappings" to these sites.
> I assumed that site would setup 2 PAS folders - one in each of the areas.
> Both sites would have similarly configured LDAP stores, but would have the
> mapping of LDAP groups into roles configured differently.


> Maybe the correct configuration in that case would be *three* PAS folders -
> one in the root with the LDAP store, and one in each of the areas with only
> group mappings configured?  The magic of acquisition is new to me too, so
> this may even work now :)

That might be an option.

>>>If the LDAP plugin knew a globally unique ID for the user
>>>(as provided by
>>>the external LDAP store), would it be able to use that ID
>>>as a principal ID?
>>Yes, but you would have to use empty prefixes for each of the
>>PAS instances.
> Which would also mean every other PAS plugin in both those instances would
> be forced to use empty prefixes? 

The Zope 3 PAS prefixes have nothing to do with any prefixes used by the plugins
themselves.  The PAS prefix is to provide uniqueness accross PAS's so the plugins
are only required to support unique principal ids within a PAS.  For a site like you
describe, you might decide to require plugins to be configured to assure unique ids
accross the whole site.

 > Or is there a way for a single plugin to
> say that only it does (or doesn't) want a prefix? 

The plugin prefixes are independent of the PAS prefixes.  The purpose
of the PAS prefixes are to allow you to avoid having to coordinate plugin
prefixes accross PASs (sites), but, in this case you want to coordinate plugin
prefixes accross sites, so you will just not set the PAS prefixes.

 > That way you could have a
> "global" LDAP plugin interact correctly with 2 different, local
> ZODBUserManager stores.


>>>Can we re-use this ID for better integration with the
>>>underlying store?
>>Not sure what that means. IDs are required to be unicode
>>strings.  Beyond
>>that, it's up to the plugin to decide what the ids are.
> I was just restating my other question - "can I re-use that ID across
> different PAS/plugin instances?".  I believe the answer is above "yes, so
> long as you have an empty prefix"


>>>* The login_name - the name they type into a login box
>>>  along with their password.
>>Yup. Of course, that's up to the plugin.  There might be
>>systems that don't use login names, or that use more than one.
>>(I use a system that uses two login names, one a company name, and
>>the other a company-specific user name.)
> That makes sense, but doesn't quite fit the Zope2 PAS implementation.
> PropertiedUser defines an optional "login" param to the constructor and
> supplies a few methods implementing "BasicUser's public interface" -
> including getUserName()



Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-PAS mailing list