[Zope3-Users] Re: Applying permissions to users from LDAP

[Philipp von Weitershausen]

Alec Munro wrote:
> I've just succeeded in getting Zope authenticating against my LDAP
> directory, using ldapadapter and ldappas. The directory itself is
> brand new, and is currently only being used for Zope.
> I am able to manually grant permissions to LDAP users, but I'm
> wondering if there's a way to automatically grant an LDAP user certain
> roles, depending on what groups he or she is in?
> 
> I imagine this could probably be done by extending ldappas, but it
> seems like a common problem, so I thought it would be worth asking
> here to see if anyone has any other ideas (or has already extended
> ldappas themselves).

Alec,

roles are a concept only known to Zope 3's default security policy, they 
aren't really a part of the authentication system.

While the authentication only identifies principals according by 
matching login credentials to a user database, the security policy 
actually decides whether a principal has a certain permission or not 
(IInteraction.checkPermission). Zope's default security policy happens 
to use an intermediary concept between principals and permissions called 
"role".

The default policy retrieves the roles and permissions of a principal by 
adapting the current context object to IPrincipalRoleMap or 
IPrincipalPermissionMap, respectively (from 
zope.app.securitypolicy.interfaces). The default adapters for these 
store the maps persistently in annotations. The Grant view uses the same 
adapters to persistently modify this information. So, if you want your 
LDAP users to automatically have certain roles or permissions, one way 
to go would be to implement custom IPrincipalRoleMap or 
IPrincipalPermissionMap adapters. This would be a way to adjust the 
behaviour of the existing default security policy.

Another solution for your problem might be a custom security policy 
(perhaps based on Zope's default one) that inherently knows about which 
principals get which permissions / roles automatically. This coudl also 
be made pluggable so that you wouldn't have to write a new security 
policy every time those sets of permissions and roles change. From a 
brief look, it seems that this is what the "crowd" concept of 
schooltool.securitypolicy 
(http://source.schooltool.org/svn/trunk/schooltool/src/schooltool/securitypolicy/README.txt) 
seems to solve. It should be quite trivial to write an "LDAP" crowd 
(representing all principals from the LDAP database) and then grant that 
crowd the specified permissions.

HTH


-- 
http://worldcookery.com -- Professional Zope documentation and training
Next Zope 3 training at Camp5: http://trizpug.org/boot-camp/camp5