RE: FW: [Zope-dev] pam authentication support with PyPam
From: Michel Pelletier [mailto:michel@digicool.com] Sent: 2. november 1999 17:13 To: Alexander Staubo; zope-dev@zope.org Subject: Re: FW: [Zope-dev] pam authentication support with PyPam
The first is the fact that only user folders are accumulative only at folder boundaries. You cannot create one UserFolder and one NTUserFolder at the same level and have them co-opt the user authentication responsibility.
I think this is a good idea, I wonder if the Generic User Folder recently prototyped (hey, who did that? I can't find any artifacts to it anywhere) does this.
Stuart Bishop (zen@cs.rmit.edu.au).
The second, more serious gripe is with the security permission model. Look at NT 4.0 and the security UI that comes with SP4/SP5's Security Configuration Manager for a good example (installing it will upgrade NT's security dialogs with a new UI).
<snip good stuff>
There are really deep and fundamental issues, I can see exactly what you're talking about, but implimentation could take a while, last time i looked at the security system I shuddered.
Have you looked into implimentation? This is sort of a seperate issue from the user folder abstraction thing.
I have not, and I'm not sure I want to touch that part of Zope. :-) While what I'm proposing is pretty radical, I believe it is necessary. Instead of a plug-in folder architecture, why not simply permit multiple user folders sharing the same folder? The only issue with this is, I suspect, that it would be difficult to arrange any sort of prioritization -- you could not specify that one user folder should take priority over another, unless perhaps each folder had a priority attribute assigned to it. Another angle could be a user database object. Each user database would be essentially be a folder containing one or more multiple user folders, and would simply iterate through its children to authenticate a user. It seems a healthy, detailed discussion is in order.
-Michel
-- Alexander Staubo http://www.mop.no/~alex/ "Reality is that which, when you stop believing in it, doesn't go away." --Philip K. Dick
From what I've seen in the source, this:
Alexander Staubo <alex@mop.no> wrote:
Another angle could be a user database object. Each user database would be essentially be a folder containing one or more multiple user folders, and would simply iterate through its children to authenticate a user.
is probably the least painful way to accomplish this goal. Right now, for example, you could create a folder 'userdbs' containing each user folder in a sub-folder. There would be user folders at 'userdbs/udb1/acl_users', 'userdbs/udb2/acl_users', etc. Then you can force each request to pass through 'userdbs/udb1/udb2/...' when it passes through the folder containing 'userdbs', and the user folders will be checked for authentication (in reverse order). Evan @ 4-am
participants (2)
-
Alexander Staubo -
Evan Simpson