Fw: [Zope] From database to acl_users - read this!

wazum-mail (wolfgang) wazum-mail (wolfgang)" <wolfgang@wazum.com
Fri, 22 Jun 2001 20:14:09 +0200


I found this, don't know where I got it, but it's a
nice introduction to the first basic steps using LoginManager ...

---------------------
* Jason C. Leach <jleach@m...> [001126 20:46]:
> hi,
>
> So I have LoginManager installed. The easy part.  Now I'd like to know how
> to use it.  To start with, I'd like to authenticate against a standard
> acl_users folder or a plane text file w/ username/passwords in it.

OK, I've just struggled with this and won.  I wanted to write a How-To
but it's too late in the evening to consider right now.  So, here's
some notes that might become a HowTo:

1) Why LoginManager
"LoginManager is a User Folder workalike and replacement which solves
the "N * M" problem seen with previous User Folders."
(http://www.zope.org/Members/tsarna/LoginManager)

Hmm, OK.  What I *think* this means is that you can use LoginManager
to do all the security heavy lifting for you.  All you have to do
is tell it how  to decide if someone's authenticated or not.  A bit
like PAM in Linux, if you know about that.  With other types of
UserFolder, you're stuck with SQL or LDAP or some other flavour of user
storage you decided on a couple of months ago.  If you want to change
the type of user store, you have to tinker with the business logic
too.

With LoginManager, it's more or less just a case of plugging in a new
data source.  You can have more than one data source and have
LoginManager authentivate against each of them in order.  You can do
even cleverer things but I'm not sure about that yet.

2) How
This is the only way I've worked out how to use it.  I know there's
better ways of doing it because I've seen mails to thateffect from
Ty.  My way is the GUF-compatability way.

- Add a LoginManager to your test folder that you created so you didn't
mess any other folders up in your Zope by accident.  Have it generate
a GenericUserSource for you.
- Click on its UserSources tab.  This is where you can add
UserSources, like your LDAP User Source and your Plain Text File User
Source.
- There's a UserSource in there already for you (a GenericUserSource,
indeed)
- Add 4 methods to it: userAuthenticate, userDomains, userExists, and
userRoles.  (see example below)
- That's it!  Watch your folder become inaccessible because you made a
mistake in your authentication methods!
- The methods tab of the LoginManager has some default forms.
- If you want to log in a user from another page, create a form which
posts fields called __ac_name and __ac_password to a method which
doesn't have anonymous user access.  (see the example loginForm for an
example)

Here's an external method which authenticates against a SQL database
with a ZSQL method that's in the UserSource.  Commented out is a
cheesey hardcoded username and password example:


def userAuthenticate(self,REQUEST,username,password):
    if self.SQL_authenticate_user(username=username,password=password):
    #if username=='seb' and password=='boogaloo':
        return 1
    else:
        return 0

def userExists(self,REQUEST,username):
    return 1

def userDomains(self,REQUEST,username):
    return []

def userRoles(self,REQUEST,username):
    return ['Editor','Manager']

If you want to authenticate against a plain text file, it should be
fairly easy to work it out from this example.

OK I've got to go to bed.  If anyone who knows more wants to let me
know, I'll try and compile it into a better guide.  I'm sure I've got
most of this wrong - but it seems to work for me, so maybe not...

There's already a SQL-LoginManager Howto which I don't want to repeat,
but I already have.  It's at
http://www.zope.org/Members/jok/SQL_based_LoginManager.

seb.

-----------------

Wolfgang

original message follows

>Hi,
>
>I know how to get users/passwords/roles in straight Python/mxOdbc from a
>corporate database.
>
>I want to give Zope permissons to those users in addition to those from the
>"acl_users" folder.
>
>Means that when a user logs for basic authentication, it's credentials must
>be compared with "natural" acl_user folder then with this database.
>
>Any idea or related product ?
>
>TIA.
>
>--Gilles
>
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )