[Zope] Aquisition, UserFolder and security

Julien Anguenot ja at nuxeo.com
Tue Sep 27 09:20:48 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bruno modulix wrote:
> Julien Anguenot wrote:
> 
>>Hi Bruno,
> 
> 
> Hi Julien,
> 
> 
>>If you're using a central LDAP for all the instances you can restrict
>>the access from the different instances using either
>>LDAPUserGroupsFolder or CPSUserFolder.
>>
>>Discrimination are done by LDAP branches (users or groups). If you can't
>>control the LDAP and thus the way the branches are designed, for
>>whatever reasons, then you can use CPSUserFolder and set the
>>discrimination on the UF within each instan

ce by setting custom CPS
>>directories (which is what CPSUserFolder uses as proxy for
>>authentication sources).
>>
>>To sum up it's a matter of configuration.
> 
> 
> I'm afraid there's more to it than just a matter of configuration, cf
> below...
> 

I confirm. For having done the intranet of the Senegal gouvernement
(almost 35 CPS  (one instance for each ministry) on the same Zope within
a ZEO env linked on a central LDAP with differents branches for users
and groups per ministry) using CPS, I have sort if an idea what you're
trying todo here.

> 
>>We'll be glad to discuss your use case on cps-users list.
> 
> 
> I've spent quite some time investigating the
> CPSUserFolder/Metadirectories/Stackingdirectories/backingDirectories...
> solution, and the final word (from Olivier Grisel, cf the cps-users ml)
> was that some code concerning roles and groups management was not yet
> fully implemented, so the whole thing couldn't work without patching and
> merging parts of CPSDirectories - which was a definitive no-no for us.

I assume, you're talking about roles and groups compute schema fields
here on directories. This is TALES expression linking the directories.
The code can be wherever you wanna, even within the TALES expression if
you feel like...

That's probably, what Olivier tried to say. Still I didn't follow the
discussion at this time.

Let me add that CPSUserFolder works and is in production for a while now
in several projects. So be sure it's stable.

> 
> I don't know if this has been fixed in 3.3.6, but anyway, this part of
> our project is supposed to be already working (and mostly does, except
> for this security problem), and we can't afford to come back on it, as
> it would delay delivery by at least one week - which is also not an
> option. But thanks anyway...
> 

Then, you might have a design flaw...

You didn' reply to my question at the first place : are you controling
the LDAP (rw) ?

Are the schemas describing your users differents in between the CPS
instances ? etc...

CPSUserFolder has been designed to tackle such a use case. (Not only
this use case but this one has been a reason of the existence of this
product.)

Of course, looking for a hack to deliver your project can always be
solution ;)

Cheers,

	J.

- --
Julien Anguenot | Nuxeo R&D (Paris, France)
CPS Platform : http://www.cps-project.org
Zope3 / ECM   : http://www.z3lab.org
mail: anguenot at nuxeo.com; tel: +33 (0) 6 72 57 57 66
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDOUcwGhoG8MxZ/pIRAomtAJ4lEnUDUZpLIkcjwgSTdShb/TTcXwCggTsy
EcWsb2Z2oSOgHxsdhgnwNjc=
=9Hzy
-----END PGP SIGNATURE-----


More information about the Zope mailing list