[Grok-dev] LDAP authentication and groups

Jeroen Michiel jmichiel at yahoo.com
Mon Aug 10 08:07:28 EDT 2009


OK, no problem to extend the existing doc.

I'll need some help on first getting it to actually work, and then making
sure it complies to the 'best practices'. I want to gradually build up to
where I want to get to:
a) First explain how to simply link permissions to principals. 
b) Introduce Groups. Keep it simple and manage the groups in the ZODB.
Assign the permissions to the groups so that all members get them.
c) Reflect the groups defined in LDAP and assign permissions based on those.

For a)
This should be done with the IPrincipalCreated event, right? Check if the
principalIdPrefix matches, and then call
IPrincipalPermissionManager.grantPermissionToPrincipal for the needed
permissions (or roles).

For b)
I don't get this to work, but I don't really know what I'm supposed to do to
make it work. What I tried is to add a GroupFolder to the PAU in the ZMI
(BTW: is the ZMI still to be used with grok, in fact??? Because you have to
know how to get to it, there's no link to it on the main grok admin view). I
then added a group to it. in the ZMI view of the group you apparently can
search for principals. I see an LDAP-aware form to enter data about the
user, that is apparently described by a schema you can set in the schema
attribute of the authenticator plugin. However If I try to search for LDAP
users, it doesn't find any, it shows an empty selection list...

For c)
I don't have a clue yet to do this... Most likely implement my own
groupfolder, but I'll hev to periodically synchronize with LDAP to reflect
changes made there.


Sebastian Ware wrote:
> 
> Great feedback! Please consider updating the main document, I think it  
> would useful to have it all in the same place. Note, I don't have an  
> answer to your question :) I just want to encourage you to go all the  
> way on this one.
> 
>   
> https://blueprints.launchpad.net/grok/+spec/doc-authentication-with-grok
> 
> If you give me a Launchpad ID I can assign you to the document on  
> Launchpad (so you can update the whiteboard when you have done your  
> edits). I you don't have edit priveleges on grok.zope.org, drop a mail  
> with your grok.zope.org id to Kevin Teague and he can fix this for you.
> 
> Mvh Sebastian
> 
> 

-- 
View this message in context: http://www.nabble.com/LDAP-authentication-and-groups-tp24848493p24898566.html
Sent from the Grok mailing list archive at Nabble.com.



More information about the Grok-dev mailing list