[Zope-PAS] User ID mangling question
regebro at nuxeo.com
Tue Sep 14 09:18:15 EDT 2004
Jens Vagelpohl wrote:
> So I'm going through the LDAPMultiPlugin right now trying to make it
> work with the latest PAS and I'm noticing that some mangling behaviors
> have changed.
> Specifically, the ID of the PropertiedUser is the mangled ID and not the
> ID the plugin itself has returned. When "validate" is called the first
> step after extraction (which returns the unmangled user IDs as seen by
> my plugin) is a call to _findUser. In _findUser the users are built with
> a call to _createUser, and that user object now carries a mangled ID. So
> in the next step, looking up user properties, my plugin gets a user with
> an ID that is not the one it knows about and returns garbage.
> I might have missed some discussion here, it's possible that my plugin
> does something wrong. Is a plugin supposed to know how to deal with a
> mangled ID or did something else go wrong?
Well, there has been some discussion on how it *should* work. But I
don't think it has been decided yet. Your input is welcome.
Another issue that has been decided is exactly what the prefix should
be. It is currently the id of authenticator plugin, but that means the
authenticator plugin and the enumeration plugin must be the same. And in
the case where you are not using username and password as credentials,
that also means that the extraction plugin must be the same. Which means
that if you want to use a single-signon solution with for example, your
LDAP directory, things suddenly get very complicated, and you need to
write an SSO-LDAP plugin that does everything. Which of course defeats
the whole idea of plugins.
For me, the only prefix that makes sense is the enumerator plugin. It
has been pointed out that some solutions use no enumerator but simply
accept the username from the authenticator, but that is clearly a
special case of having a sort of "dummy enumerator" that accepts that
all users imaginable exists. ;)
I think we need more brains on this. So how do you think it should work?
A small comment:
> "validate" is called the first step after extraction (which returns
> the unmangled user IDs as seen by my plugin)
No... I'm pretty sure _extractUserIds() mangles the ids. Maybe it
shouldn't, but it does.
More information about the Zope-PAS