[Zope-PAS] Lack of user enumeration a problem

Wichert Akkerman wichert at wiggy.net
Tue Aug 12 10:00:41 EDT 2008


Previously Behrens, Matt wrote:
> Tres Seaver wrote: 
> 
> > You need to have plugins registered which implement 
> > IUserEnumeration and IGroupEnumeration for your site.  
> > Probably you are going to need to share the set of valid 
> > users with that external program, though.
> 
> Right, but what if I can't enumerate the users?  In this scenario, I
> actually cannot get a list of valid users.  Inside Zope, my sole
> assurance that I have a valid user is that the hash matches up.
> 
> It's a similar situation to exUserFolder's smbAuthSource; in that case,
> a username and password is provided and passed on for authentication,
> and if it works, a user object is created on the fly.  Or REMOTE_USER,
> if you don't have access to the list of valid users; you simply trust
> the username you're given, creating that user object again.

Many user sources suffer from this. I had the same problem when
implementing OpenID. Basically the problem is that PAS tries to verify
if a userid is linked to a valid user by doing a search for it. For
OpenID As I added some workaround code that checks if you are doing a
exact user search for a userid that looks like a URL and if so always
return a dummy user. That made PAS happy.

Wichert.

-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.


More information about the Zope-PAS mailing list