[Zope3-Users] Re: Applying permissions to users from LDAP

David Johnson djohnson at jsatech.com
Tue Feb 13 04:51:24 EST 2007


I'm trying to understand this situation also since we face it  
frequently.  The PAU has a Group Folder which works well in this  
regard.  Would the idea of extending Groups in the PAU to include any  
person in the ldap directory be useful?  It seems this would be  
easier and more flexible.



On Feb 12, 2007, at 3:05 PM, Alec Munro wrote:

> Thanks Philipp! I suspect your first suggested solution will probably
> be the one that makes sense for us, but I will have to do a little
> experimentation to be sure. It's very useful that you are able to
> actually pick out the interfaces and interface methods that are of
> concern to me.
>
> This reminds me that I have to pick up the new version of your book.
>
> Alec
>
> On 2/9/07, Philipp von Weitershausen <philipp at weitershausen.de> wrote:
>> Alec Munro wrote:
>> > I've just succeeded in getting Zope authenticating against my LDAP
>> > directory, using ldapadapter and ldappas. The directory itself is
>> > brand new, and is currently only being used for Zope.
>> > I am able to manually grant permissions to LDAP users, but I'm
>> > wondering if there's a way to automatically grant an LDAP user  
>> certain
>> > roles, depending on what groups he or she is in?
>> >
>> > I imagine this could probably be done by extending ldappas, but it
>> > seems like a common problem, so I thought it would be worth asking
>> > here to see if anyone has any other ideas (or has already extended
>> > ldappas themselves).
>>
>> Alec,
>>
>> roles are a concept only known to Zope 3's default security  
>> policy, they
>> aren't really a part of the authentication system.
>>
>> While the authentication only identifies principals according by
>> matching login credentials to a user database, the security policy
>> actually decides whether a principal has a certain permission or not
>> (IInteraction.checkPermission). Zope's default security policy  
>> happens
>> to use an intermediary concept between principals and permissions  
>> called
>> "role".
>>
>> The default policy retrieves the roles and permissions of a  
>> principal by
>> adapting the current context object to IPrincipalRoleMap or
>> IPrincipalPermissionMap, respectively (from
>> zope.app.securitypolicy.interfaces). The default adapters for these
>> store the maps persistently in annotations. The Grant view uses  
>> the same
>> adapters to persistently modify this information. So, if you want  
>> your
>> LDAP users to automatically have certain roles or permissions, one  
>> way
>> to go would be to implement custom IPrincipalRoleMap or
>> IPrincipalPermissionMap adapters. This would be a way to adjust the
>> behaviour of the existing default security policy.
>>
>> Another solution for your problem might be a custom security policy
>> (perhaps based on Zope's default one) that inherently knows about  
>> which
>> principals get which permissions / roles automatically. This coudl  
>> also
>> be made pluggable so that you wouldn't have to write a new security
>> policy every time those sets of permissions and roles change. From a
>> brief look, it seems that this is what the "crowd" concept of
>> schooltool.securitypolicy
>> (http://source.schooltool.org/svn/trunk/schooltool/src/schooltool/ 
>> securitypolicy/README.txt)
>> seems to solve. It should be quite trivial to write an "LDAP" crowd
>> (representing all principals from the LDAP database) and then  
>> grant that
>> crowd the specified permissions.
>>
>> HTH
>>
>>
>> --
>> http://worldcookery.com -- Professional Zope documentation and  
>> training
>> Next Zope 3 training at Camp5: http://trizpug.org/boot-camp/camp5
>>
>> _______________________________________________
>> Zope3-users mailing list
>> Zope3-users at zope.org
>> http://mail.zope.org/mailman/listinfo/zope3-users
>>
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>



More information about the Zope3-users mailing list