[Zope-dev] [Long] Advice solicited on Security, exUserFloder, and Components in Zope 2.4.x and forward?

[Dario Lopez-Kästen]

Hello!

A couple questions for ye Zope Deities,

I am starting out in Python programming and Zope by adapting the
exUserFolder product for usage with Zope 2.4.x and to our own security
stuff. So far I have had limited luck, but I am slowly understanding how
Zope UserFolders work and how exUserFolder works. If anyone has had any
success in adapting exUserFolder for Zope 2.4.x please let me know, as you
are probably better doing it than I am  :-).

I am adapting the exUserFolder for various reasons, the most important being
that I need to manage amounts of 10k+ users with several different types of
roles, that have to be calculated in some sintances. The setting here is a
university building a Eduational Portal for it's students and staff.

I would gladly accept any input of whether this is doable by adapting the
exUserFolder or if there are any other means of doing it. I do not wnat to
list 10k+ users in the management interface, nor do I want to have to list
all possible, and current, roles each and every user might have. Eplanation
of my rationale follows below.

During this investigation I've looked at the ZopeDevGuide, and I am
wondering if I can start using the new component interfaces with the current
release of Zope. It is not clear that I cannot but it als is not clear if I
can.

Anyway, any help or comments are appreciated.

--<begin longish problem explanation>--

Due to the nature of our infrastructure, I need to have a very clean
separation of authentication, authorisation, user-mapping and
user-information. I essence our needs mandate that we keep a map-database
between various keys identifying users in various systems, where Zope works
as the middleware. Our "authentication service" are actually  three
different auth services (try one, if fail try next, etc) that we need to
employ during a trasition phase (we'll end up using DCE in the end for all
centralised authentication services).

The mapping service helps us map the username to various other keys needed
to iteract with some of our legacy systems. We maintain a database mapping
username with, for example, social security number. This way, when you log
in, you only use your username and passwd and then the system automagically
knows your social sec nr and a) gives you personalised info from the
university and b) prevents you from accessing other user's personal info.

The auth service will be used to allow or restrict access to various parts
of the system. For instance, it is desirable to restrict certain features in
a course homepage system to people that are actually registered as
participants in the course. For this we want to use a system of "calculated
roles" in combination with what I, for lack of a better name, would call
"adapted queries" (as in "return only stuff for user x"). So I am thinking
of finding a way of providing Zope with a list of acceptable roles, say, as
the result of a ZSQLMethod.

The user-info service would provide us with other user-properties such as
Full Name, Home Adress, etc.

The problems I am having so far is that I cannot even get etcAuthSorce
working. I am now trying with usAuthSource and have had some luck with it,
but nothing that works quite right just yet.

--<end longish problem explanation>--

Any helps is, as always, appreciated.

Sincerely,

/dario
cc-ing zope-edu-user, eurozope


- --------------------------------------------------------------------
Dario Lopez-Kästen     Systems Developer  Chalmers Univ. of Technology
dario@ita.chalmers.se  ICQ will yield no hits    IT Systems & Services