[Zope-PAS] Lack of user enumeration a problem
Wichert Akkerman
wichert at wiggy.net
Tue Aug 12 10:00:41 EDT 2008
Previously Behrens, Matt wrote:
> Tres Seaver wrote:
>
> > You need to have plugins registered which implement
> > IUserEnumeration and IGroupEnumeration for your site.
> > Probably you are going to need to share the set of valid
> > users with that external program, though.
>
> Right, but what if I can't enumerate the users? In this scenario, I
> actually cannot get a list of valid users. Inside Zope, my sole
> assurance that I have a valid user is that the hash matches up.
>
> It's a similar situation to exUserFolder's smbAuthSource; in that case,
> a username and password is provided and passed on for authentication,
> and if it works, a user object is created on the fly. Or REMOTE_USER,
> if you don't have access to the list of valid users; you simply trust
> the username you're given, creating that user object again.
Many user sources suffer from this. I had the same problem when
implementing OpenID. Basically the problem is that PAS tries to verify
if a userid is linked to a valid user by doing a search for it. For
OpenID As I added some workaround code that checks if you are doing a
exact user search for a userid that looks like a URL and if so always
return a dummy user. That made PAS happy.
Wichert.
--
Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
More information about the Zope-PAS
mailing list