[Zope-PAS] User ID mangling question

Jens Vagelpohl jens at dataflake.org
Tue Sep 14 09:43:36 EDT 2004

>> I might have missed some discussion here, it's possible that my 
>> plugin does something wrong. Is a plugin supposed to know how to deal 
>> with a mangled ID or did something else go wrong?
> Well, there has been some discussion on how it *should* work. But I 
> don't think it has been decided yet. Your input is welcome.

It's too bad I don't remember much about the discussions that took 
place in December 2003 when I sat in the same room at ZC with Tres, Zac 
and Andrew and we gave birth to this baby ;)

To boil the problem down, it is problematic to churn out users with IDs 
that are unlike the IDs plugins themselves know about, at least in a 
case like mine where one plugin fulfills all kinds of roles at the same 
If there was a way to "squirrel away" some information on the user 
about the "original" ID as returned by the authentication plugin 
"authenticateCredentials" so that you can get back to it if you're 
handed a user that would help with this immediate problem. Or the 
plugin needs to know about mangling (eww...) and unmangle the ID before 
further use. Not nice.

> Another issue that has been decided is exactly what the prefix should 
> be. It is currently the id of authenticator plugin, but that means the 
> authenticator plugin and the enumeration plugin must be the same. And 
> in the case where you are not using username and password as 
> credentials, that also means that the extraction plugin must be the 
> same. Which means that if you want to use a single-signon solution 
> with for example, your LDAP directory, things suddenly get very 
> complicated, and you need to write an SSO-LDAP plugin that does 
> everything. Which of course defeats the whole idea of plugins.

Well, right now the LDAPMultiPlugin really does almost everything ;)  
But you're right, it kind of defeats the whole purpose.
The prefix naming is a really hard problem if you want the plugins to 
not care about mangling themselves. One "face saving" workaround could 
be that <hand waving> the plugin gets information from the PAS about 
what ID PAS is uding for a given user and keeps an internal "cache" to 
map mangled to unmangled ID.

> For me, the only prefix that makes sense is the enumerator plugin. It 
> has been pointed out that some solutions use no enumerator but simply 
> accept the username from the authenticator, but that is clearly a 
> special case of having a sort of "dummy enumerator" that accepts that 
> all users imaginable exists. ;)
> I think we need more brains on this. So how do you think it should 
> work?

Off the top of my head I can't offer a good solution, I just know the 
current one has problems. That's not all that helpful :/
It is crystal clear that some mangling or some assigning of unique IDs 
has to happen because "jens from the LDAP plugin" isn't "jens from the 
ZODB plugin".

> A small comment:
> > "validate" is called the first step after extraction (which returns
> > the unmangled user IDs as seen by  my plugin)
> No... I'm pretty sure _extractUserIds() mangles the ids. Maybe it 
> shouldn't, but it does.

My bad, you're right :)


More information about the Zope-PAS mailing list