[Zope] Security glitch on user-editing form

Rob Page rob.page@digicool.com
Tue, 11 May 1999 16:43:07 -0400


>  Any one-way encryption method will work, but why not modularized
>  authentication support? Something that would permit you to 
>  use anything

Already there in user folders! :^) We happen to have implemented an
internal Zope authentication/authorization database.  Additionally, at:

http://www.zope.org/Download/Unsupported

there's an etcUserFolder (auth against /etc/passwd type files) and a
UserDB (auth against an RDBMS) and sometime soon there might be an
LDAPUserFolder based on something that smells a lot like an LDAP
Database Adapter.

>  from one-way-encryption to Kerberos to LDAP, but not 
>  necessarily just a
>  fixed algorithm. LDAP is an interesting possibility, but I don't like
>  the idea of being stapled to LDAP -- it's overkill for most
>  installations.

I agree totally!  My _real_ question was, in the internal User Folder
component, whether to store passwords a)  in their original form or b)
as a hash or c) as a selectable option ...  Of course, the c) is
probably the best answer!

--Rob