[Zope] RE: FW: [Zope-dev] pam authentication support with PyPam
Alexander Staubo
alex@mop.no
Tue, 2 Nov 1999 19:50:43 +0100
> From: Michel Pelletier [mailto:michel@digicool.com]
> Sent: 2. november 1999 17:13
> To: Alexander Staubo; zope-dev@zope.org
> Subject: Re: FW: [Zope-dev] pam authentication support with PyPam
>
> > > The first is the fact that only user folders are accumulative
> > > only at folder boundaries. You cannot create one UserFolder
> > > and one NTUserFolder at the same level and have them co-opt
> > > the user authentication responsibility.
>
> I think this is a good idea, I wonder if the Generic User Folder
> recently prototyped (hey, who did that? I can't find any
> artifacts to it
> anywhere) does this.
Stuart Bishop (zen@cs.rmit.edu.au).
> > > The second, more serious gripe is with the security
> > > permission model. Look at NT 4.0 and the security UI that
> > > comes with SP4/SP5's Security Configuration Manager for a
> > > good example (installing it will upgrade NT's security
> > > dialogs with a new UI).
>
> <snip good stuff>
>
> There are really deep and fundamental issues, I can see exactly what
> you're talking about, but implimentation could take a while,
> last time i
> looked at the security system I shuddered.
>
> Have you looked into implimentation? This is sort of a seperate issue
> from the user folder abstraction thing.
I have not, and I'm not sure I want to touch that part of Zope. :-)
While what I'm proposing is pretty radical, I believe it is necessary.
Instead of a plug-in folder architecture, why not simply permit multiple
user folders sharing the same folder? The only issue with this is, I
suspect, that it would be difficult to arrange any sort of
prioritization -- you could not specify that one user folder should take
priority over another, unless perhaps each folder had a priority
attribute assigned to it.
Another angle could be a user database object. Each user database would
be essentially be a folder containing one or more multiple user folders,
and would simply iterate through its children to authenticate a user.
It seems a healthy, detailed discussion is in order.
>
> -Michel
>
--
Alexander Staubo http://www.mop.no/~alex/
"Reality is that which, when you stop believing in it, doesn't go
away." --Philip K. Dick