[Zope-PAS] ZODBRoleManager: assigned roles not found
Willi Langenberger
wlang at wu-wien.ac.at
Fri Aug 27 10:00:32 EDT 2004
Hi!
It seems impossible to assign roles to users (at least with the
ZODBRoleManager plugin), if there are differnt plugins implementing
IAuthenticationPlugin and IUserEnumerationPlugin.
Example: at our university we have AFS installed. Our authentication
should be done with AFS/Kerberos. However, AFS/Kerberos has no
user-enumeration interface. So we feed our users into an ldap server.
I've written two plugins:
- krb KrbAuthHelper (method authenticateCredentials)
- ldap LDAPSearchPlugin (method enumerateUsers)
Now, if i assign the user 'wlang' to the role 'Manager' with
ZODBRoleManager (with acl_users/zodb_roles/manage_roles), this has no
effect.
Reason: internally, ZODBRoleManager stores the users
'user_id' (in my case 'ldap__wlang' instead of 'wlang', as it comes
from the ldap plugin). During authentication of a request, the
ZODBRoleManager.getRolesForPrincipal method takes the user_id of the
authenticated user (which is 'krb__wlang' in my case). As ldap__wlang
is not equal to krb__wlang, the assigned roles are not found.
So what is the right fix for this? Require that user-enumeration
and user-authentication come always from the same plugin (for the same
user)? Or, assigning the users "login" name (instead of the user_id)
in the role manager?
I know, it is not difficult to put the enumerateUsers and
authenticateCredentials in one plugin (KrbAuthLdapSearch ;-), but also
want to know, what others think about this...
\wlang{}
--
Willi.Langenberger at wu-wien.ac.at Fax: +43/1/31336/9207
Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
More information about the Zope-PAS
mailing list