[Zope-dev] pam authentication support with PyPam

[Ian Blenke]

On Mon Oct 18, 1999, Michel Pelletier wrote:

> Regardless of whether or not Zope has a PAM folder (which I think is a
> good idea) we need to discuss an upcomming problem with Zope user
> authentication: the proliferation of user folders.

Agreed! This is something I've been waiting for.

> The problem is there are now quite a few user folders that all kinda
> look the same, smell the same, and share a good bit of code.  This is
> very brittle.  The 'backends' should be abstracted away from the
> 'frontend' and we should return to the original state of grace, one type
> of user folder.

Something akin to a SPI (Service Provider Interface) User Folder class that
implements a standard set of interfaces for all User Folder classes to
subclass. A standard SPI User Folder could be wedged into the current cludge
of implementing the currently required methods needed for User Folder
functionality.

> At the moment if we were to change an aspect of Zope authentication that
> would break existing user folders, we would have to go and fix every
> single one, the orpaned ones without maintainers (like etcUserFolder, my
> personal orphan) would simply remain broken until someone got frustrated
> enough to fix them.  This is a pretty bad state of affairs.

Leaving compatibility with the previous User Folder method isn't a bad
thing.
Make a "generic User Folder Provider" class that can be subclassed for
future
User Folder implementations, while implementing the legacy backend that
existing User Folder implementations require.

> So lets fire up a discussion on what kind of model we could impliment to
> have a generic user folder with pluggable backends (one of which could
> be PAM).  It might even be a good idea to look *at* PAM for some ideas,
> anyone here a PAM expert?

PAM is wonderful. I'm no PAM expert, but I'm willing to help. If we use the
PyPam wrappers, we won't need to worry about the system implementation. 

There is at least one port of PAM to NT available on the 'net - although
it is more useful as a MS GINA replacement for Kerberos support :)

We use pamsmbd here. Anyone can login to their Unix account (Linux or 
Solaris) with their NT domain password. If I could enable a PAM module,
I could effectively do the same thing as "NT User Folder" with my
existing configuration. I've seen the "smb user folder" Product out
there, but haven't had time to fight with it yet.

> Hmm.. it might also be nice to take Membership and the ZPT into
> consideration here, like support for extensable user objects (if the
> 'backend' supports it) etc.

PAM for authentication - cross-platform implementations exist.
NSS for user information - Unix implementations only.

How do you look up user information generically across all known
platforms? You need a "single signon" repository.

Eventually, the best user database is an LDAP directory tree. It
would be great to work User Folder authentication out of the new
Zope LDAP objects under construction (I can't wait! :)

- Ian C. Blenke <ian@blenke.com> <icblenke@2c2.com>