[Zope] LoginManager UserSources

Wilkinson Charlie E Charlie.E.Wilkinson@irs.gov
Wed, 2 Aug 2000 19:11:55 -0400


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01BFFCD7.0F4AD496
Content-Type: text/plain;
	charset="iso-8859-1"

> -----Original Message-----
> From: Kyler B. Laird [laird@ecn.purdue.edu]
> 
> On Wed, 2 Aug 2000 15:13:45 -0400  you wrote:
> 
> >I've gotten it working with
> >Postgres (with crypted passwords no less!)  It took me a 
> couple of weeks on
> >and off to finally get that going.  Yes, it was painful, 
> especially having
> >no prior experience with GUF (or much experience with Zope, for that
> >matter...)  I've not made it a very high priority, but I'm 
> working on a
> >LoginManager/PostgreSQL walkthrough hoping that I might save 
> someone else
> >some grief.  That info should be easy to translate for any 
> other datasource
> >full of users you might have in mind.  Interested?
> 
> What I read:
> "I see you're starving.  Are you interested in some food?"

Well, probably more like, "Are you interested in Spam and CheezWiz
on saltines?"  ;-)

> Yes!  I'm desperate for a way to use Oracle and/or X.500
> databases for authentication (and authorization and ...).
> I would be happy to pay someone to hold my hand through
> creating such a product.  (This is one of the first things
> I built into Apache so many years ago.)

LM is a fantastically versatile product, which also makes it a potentially
major PITA.  Not having sufficient documentation makes it a recipe for
insanity.  (Save yourself, it's too late for me!)

> I'm a bit fuzzy on this, though.  Shouldn't there be an
> easy way to generalize databases for this purpose?  Why do
> we need PostgreSQL, Oracle, Gadfly, ... versions?  I'd
> like to be able to just choose a connection ID and go.

The gist of it is this:

First you create (or use the default) UserSource.  It's basically an empty
box that is used to contain the various methods used to authenticate a user.
You can have more than one UserSource, meaning you could have US's
validating against SMB, LDAP, UNIX passwd, NIS, etc. (i.e., pretty much
anything that Python will talk to) all running in conjunction.  If
validation fails against the first US, LM will simply drop through to the
next and so on, until it either validates the user successfully, or drops
out the bottom and denies access.

You will first need to create a method for determining if a user exists.  If
the user exists, return 1, otherwise 0.

A second method is required to take the entered username and actually look
up a password, validate it against the password entered by the user and
return success (1) or
failure (0).

A third method is used to look up the user's roles and return them as a
list.  These roles should match up against either default Zope roles, or
preferably roles you've created for the purpose.  You then lock down
permissions on the desired folders/objects so that only users with the
correct roles can access those objects.

And lastly, a forth method is needed to return a list of valid net domains
from which the user is allowed to log in.  If you don't want to restrict
logins by domain, then simply return an empty list.

So, regarding your question about why should it matter which database, it
doesn't.  Not much anyways.  US covers a much broader spectrum than just
databases.  As I indicated above, pretty much anything you could conceive of
to store user data in, LM can interface to it.  For some US's you may need
to craft one or more external methods in Python.  If it's a DBMS like
Postgres, Oracle, MySQL, MSSQL, you will need a database connection method,
and you will need SQL methods to fulfill the above four validation steps.
Which brand of database you connect to is likely only going to affect minor
issues of SQL syntax within your methods, if that.  The way your user data
is *structured* will have more impact than which database you use.

That leaves out a ton of detail, but should hopefully answer your immediate
questions and then some.  Feel free to drop me a note at
cwilkins@boinklabs.com and we can further discuss getting your LM up and
running.

-cw-


------_=_NextPart_001_01BFFCD7.0F4AD496
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: [Zope] LoginManager UserSources </TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>&gt; -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>&gt; From: Kyler B. Laird =
[laird@ecn.purdue.edu]</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; On Wed, 2 Aug 2000 15:13:45 -0400&nbsp; you =
wrote:</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; &gt;I've gotten it working with</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;Postgres (with crypted passwords no =
less!)&nbsp; It took me a </FONT>
<BR><FONT SIZE=3D2>&gt; couple of weeks on</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;and off to finally get that going.&nbsp; =
Yes, it was painful, </FONT>
<BR><FONT SIZE=3D2>&gt; especially having</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;no prior experience with GUF (or much =
experience with Zope, for that</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;matter...)&nbsp; I've not made it a very =
high priority, but I'm </FONT>
<BR><FONT SIZE=3D2>&gt; working on a</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;LoginManager/PostgreSQL walkthrough hoping =
that I might save </FONT>
<BR><FONT SIZE=3D2>&gt; someone else</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;some grief.&nbsp; That info should be easy =
to translate for any </FONT>
<BR><FONT SIZE=3D2>&gt; other datasource</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;full of users you might have in mind.&nbsp; =
Interested?</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; What I read:</FONT>
<BR><FONT SIZE=3D2>&gt; &quot;I see you're starving.&nbsp; Are you =
interested in some food?&quot;</FONT>
</P>

<P><FONT SIZE=3D2>Well, probably more like, &quot;Are you interested in =
Spam and CheezWiz</FONT>
<BR><FONT SIZE=3D2>on saltines?&quot;&nbsp; ;-)</FONT>
</P>

<P><FONT SIZE=3D2>&gt; Yes!&nbsp; I'm desperate for a way to use Oracle =
and/or X.500</FONT>
<BR><FONT SIZE=3D2>&gt; databases for authentication (and authorization =
and ...).</FONT>
<BR><FONT SIZE=3D2>&gt; I would be happy to pay someone to hold my hand =
through</FONT>
<BR><FONT SIZE=3D2>&gt; creating such a product.&nbsp; (This is one of =
the first things</FONT>
<BR><FONT SIZE=3D2>&gt; I built into Apache so many years ago.)</FONT>
</P>

<P><FONT SIZE=3D2>LM is a fantastically versatile product, which also =
makes it a potentially major PITA.&nbsp; Not having sufficient =
documentation makes it a recipe for insanity.&nbsp; (Save yourself, =
it's too late for me!)</FONT></P>

<P><FONT SIZE=3D2>&gt; I'm a bit fuzzy on this, though.&nbsp; Shouldn't =
there be an</FONT>
<BR><FONT SIZE=3D2>&gt; easy way to generalize databases for this =
purpose?&nbsp; Why do</FONT>
<BR><FONT SIZE=3D2>&gt; we need PostgreSQL, Oracle, Gadfly, ... =
versions?&nbsp; I'd</FONT>
<BR><FONT SIZE=3D2>&gt; like to be able to just choose a connection ID =
and go.</FONT>
</P>

<P><FONT SIZE=3D2>The gist of it is this:</FONT>
</P>

<P><FONT SIZE=3D2>First you create (or use the default) =
UserSource.&nbsp; It's basically an empty box that is used to contain =
the various methods used to authenticate a user.&nbsp; You can have =
more than one UserSource, meaning you could have US's validating =
against SMB, LDAP, UNIX passwd, NIS, etc. (i.e., pretty much anything =
that Python will talk to) all running in conjunction.&nbsp; If =
validation fails against the first US, LM will simply drop through to =
the next and so on, until it either validates the user successfully, or =
drops out the bottom and denies access.</FONT></P>

<P><FONT SIZE=3D2>You will first need to create a method for =
determining if a user exists.&nbsp; If the user exists, return 1, =
otherwise 0.</FONT>
</P>

<P><FONT SIZE=3D2>A second method is required to take the entered =
username and actually look up a password, validate it against the =
password entered by the user and return success (1) or</FONT></P>

<P><FONT SIZE=3D2>failure (0).</FONT>
</P>

<P><FONT SIZE=3D2>A third method is used to look up the user's roles =
and return them as a list.&nbsp; These roles should match up against =
either default Zope roles, or preferably roles you've created for the =
purpose.&nbsp; You then lock down permissions on the desired =
folders/objects so that only users with the correct roles can access =
those objects.</FONT></P>

<P><FONT SIZE=3D2>And lastly, a forth method is needed to return a list =
of valid net domains from which the user is allowed to log in.&nbsp; If =
you don't want to restrict logins by domain, then simply return an =
empty list.</FONT></P>

<P><FONT SIZE=3D2>So, regarding your question about why should it =
matter which database, it doesn't.&nbsp; Not much anyways.&nbsp; US =
covers a much broader spectrum than just databases.&nbsp; As I =
indicated above, pretty much anything you could conceive of to store =
user data in, LM can interface to it.&nbsp; For some US's you may need =
to craft one or more external methods in Python.&nbsp; If it's a DBMS =
like Postgres, Oracle, MySQL, MSSQL, you will need a database =
connection method, and you will need SQL methods to fulfill the above =
four validation steps.&nbsp; Which brand of database you connect to is =
likely only going to affect minor issues of SQL syntax within your =
methods, if that.&nbsp; The way your user data is *structured* will =
have more impact than which database you use.</FONT></P>

<P><FONT SIZE=3D2>That leaves out a ton of detail, but should hopefully =
answer your immediate questions and then some.&nbsp; Feel free to drop =
me a note at cwilkins@boinklabs.com and we can further discuss getting =
your LM up and running.</FONT></P>

<P><FONT SIZE=3D2>-cw-</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01BFFCD7.0F4AD496--