[Zope3-Users] Re: Applying permissions to users from LDAP

Philipp von Weitershausen philipp at weitershausen.de
Tue Feb 13 04:57:50 EST 2007


On 13 Feb 2007, at 10:51 , David Johnson wrote:
> I'm trying to understand this situation also since we face it  
> frequently.  The PAU has a Group Folder which works well in this  
> regard.  Would the idea of extending Groups in the PAU to include  
> any person in the ldap directory be useful?  It seems this would be  
> easier and more flexible.

Yes, I suppose working with groups works as well. I know little about  
ldappas's group support, but it should be possible to extend/ 
configure ldappas to put all of its principal into a certain group.  
You can then give grants to the group.



> On Feb 12, 2007, at 3:05 PM, Alec Munro wrote:
>
>> Thanks Philipp! I suspect your first suggested solution will probably
>> be the one that makes sense for us, but I will have to do a little
>> experimentation to be sure. It's very useful that you are able to
>> actually pick out the interfaces and interface methods that are of
>> concern to me.
>>
>> This reminds me that I have to pick up the new version of your book.
>>
>> Alec
>>
>> On 2/9/07, Philipp von Weitershausen <philipp at weitershausen.de>  
>> wrote:
>>> Alec Munro wrote:
>>> > I've just succeeded in getting Zope authenticating against my LDAP
>>> > directory, using ldapadapter and ldappas. The directory itself is
>>> > brand new, and is currently only being used for Zope.
>>> > I am able to manually grant permissions to LDAP users, but I'm
>>> > wondering if there's a way to automatically grant an LDAP user  
>>> certain
>>> > roles, depending on what groups he or she is in?
>>> >
>>> > I imagine this could probably be done by extending ldappas, but it
>>> > seems like a common problem, so I thought it would be worth asking
>>> > here to see if anyone has any other ideas (or has already extended
>>> > ldappas themselves).
>>>
>>> Alec,
>>>
>>> roles are a concept only known to Zope 3's default security  
>>> policy, they
>>> aren't really a part of the authentication system.
>>>
>>> While the authentication only identifies principals according by
>>> matching login credentials to a user database, the security policy
>>> actually decides whether a principal has a certain permission or not
>>> (IInteraction.checkPermission). Zope's default security policy  
>>> happens
>>> to use an intermediary concept between principals and permissions  
>>> called
>>> "role".
>>>
>>> The default policy retrieves the roles and permissions of a  
>>> principal by
>>> adapting the current context object to IPrincipalRoleMap or
>>> IPrincipalPermissionMap, respectively (from
>>> zope.app.securitypolicy.interfaces). The default adapters for these
>>> store the maps persistently in annotations. The Grant view uses  
>>> the same
>>> adapters to persistently modify this information. So, if you want  
>>> your
>>> LDAP users to automatically have certain roles or permissions,  
>>> one way
>>> to go would be to implement custom IPrincipalRoleMap or
>>> IPrincipalPermissionMap adapters. This would be a way to adjust the
>>> behaviour of the existing default security policy.
>>>
>>> Another solution for your problem might be a custom security policy
>>> (perhaps based on Zope's default one) that inherently knows about  
>>> which
>>> principals get which permissions / roles automatically. This  
>>> coudl also
>>> be made pluggable so that you wouldn't have to write a new security
>>> policy every time those sets of permissions and roles change. From a
>>> brief look, it seems that this is what the "crowd" concept of
>>> schooltool.securitypolicy
>>> (http://source.schooltool.org/svn/trunk/schooltool/src/schooltool/ 
>>> securitypolicy/README.txt)
>>> seems to solve. It should be quite trivial to write an "LDAP" crowd
>>> (representing all principals from the LDAP database) and then  
>>> grant that
>>> crowd the specified permissions.
>>>
>>> HTH
>>>
>>>
>>> --
>>> http://worldcookery.com -- Professional Zope documentation and  
>>> training
>>> Next Zope 3 training at Camp5: http://trizpug.org/boot-camp/camp5
>>>
>>> _______________________________________________
>>> Zope3-users mailing list
>>> Zope3-users at zope.org
>>> http://mail.zope.org/mailman/listinfo/zope3-users
>>>
>> _______________________________________________
>> Zope3-users mailing list
>> Zope3-users at zope.org
>> http://mail.zope.org/mailman/listinfo/zope3-users
>>
>



More information about the Zope3-users mailing list