Authentication questions
Hi listers, I'm currently discussing requirements for yet another Zope/Plone portal for the company that I'm working for; and the issues with this particular site include mixing accounts from both internal employees and external consultants. Not all employees will have access to this site. The internal staff are currently authenticated via Windows (and Active Directory accounts) which is a critical requirement. The external folks will only be accessing this one site, so their accounts are very site-specific. What is the most logical way to have both specific AD accounts (not the whole directory) and Zope user accounts authenticate for one site? -- Mitch
The internal staff are currently authenticated via Windows (and Active Directory accounts) which is a critical requirement. The external folks will only be accessing this one site, so their accounts are very site-specific.
What is the most logical way to have both specific AD accounts (not the whole directory) and Zope user accounts authenticate for one site?
Use the LDAPUserFolder** and either create group-type records in AD that hold the AD people allowed to log in and map it to a role in Zope, or store role information for the AD users on the user folder itself (-> see configuration help) and manually assign the right roles to these privileged directory users. Make sure you read README.ActiveDirectory.txt for all the pitfalls associated with their poor LDAP implementation. jens ** http://www.dataflake.org/software/ldapuserfolder/
I'm currently discussing requirements for yet another Zope/Plone portal for the company that I'm working for; and the issues with this particular site include mixing accounts from both internal employees and external consultants. Not all employees will have access to this site.
The internal staff are currently authenticated via Windows (and Active Directory accounts) which is a critical requirement. The external folks will only be accessing this one site, so their accounts are very site-specific.
What is the most logical way to have both specific AD accounts (not the whole directory) and Zope user accounts authenticate for one site?
http://www.zope.org/Members/tsarna/LoginManager should allow you to nicely create a compound user source. There may be other similar products, and certainly you can "roll your own" with exUserFolder or SimpleUserFolder, though probably not as flexibly. If other posts are correct, you can compound the regular user folder with an LDAP user folder. There also used to be (or still are) http://zope.org/Members/jephte/jcNTUserFolder http://zope.org/Members/htrd/NTUserFolder http://zope.org/Members/mcdonc/smbUserFolder http://zope.org/Members/djay/RemoteUserFolder which promise some sort of NT login integration, but I ceased paying attention to things Microsofty too long ago to really know. --jcc -- "Code generators follow the 80/20 rule. They solve most of the problems, but not all of the problems. There are always features and edge cases that will need hand-coding. Even if code generation could build 100 percent of the application, there will still be an endless supply of boring meetings about feature design." (http://www.devx.com/java/editorial/15511)
J Cameron Cooper wrote:
I was under the impression that needed ZPatterns and was now totally unmaintained?
should allow you to nicely create a compound user source. There may be other similar products, and certainly you can "roll your own" with exUserFolder or SimpleUserFolder, though probably not as flexibly.
SUF is what I'd recommend, but then I would ;-) That said, it was specifically designed for this kinda thing... cheers, Chris
J Cameron Cooper wrote:
I was under the impression that needed ZPatterns and was now totally unmaintained?
Could be. I just dredged up the link. It does seem a bit old, but then, some things have a finish. --jcc -- "My point and period will be throughly wrought, Or well or ill, as this day's battle's fought."
participants (4)
-
Chris Withers -
J Cameron Cooper -
Jens Vagelpohl -
Mitch Pirtle