[Zope-PAS] ZODBRoleManager: assigned roles not found

Willi Langenberger wlang at wu-wien.ac.at
Fri Aug 27 10:00:32 EDT 2004


It seems impossible to assign roles to users (at least with the
ZODBRoleManager plugin), if there are differnt plugins implementing
IAuthenticationPlugin and IUserEnumerationPlugin.

Example: at our university we have AFS installed. Our authentication
should be done with AFS/Kerberos. However, AFS/Kerberos has no
user-enumeration interface. So we feed our users into an ldap server.

I've written two plugins:

 - krb   KrbAuthHelper     (method authenticateCredentials)
 - ldap  LDAPSearchPlugin  (method enumerateUsers)

Now, if i assign the user 'wlang' to the role 'Manager' with
ZODBRoleManager (with acl_users/zodb_roles/manage_roles), this has no

Reason: internally, ZODBRoleManager stores the users
'user_id' (in my case 'ldap__wlang' instead of 'wlang', as it comes
from the ldap plugin). During authentication of a request, the
ZODBRoleManager.getRolesForPrincipal method takes the user_id of the
authenticated user (which is 'krb__wlang' in my case). As ldap__wlang
is not equal to krb__wlang, the assigned roles are not found.

So what is the right fix for this? Require that user-enumeration
and user-authentication come always from the same plugin (for the same
user)? Or, assigning the users "login" name (instead of the user_id)
in the role manager?

I know, it is not difficult to put the enumerateUsers and
authenticateCredentials in one plugin (KrbAuthLdapSearch ;-), but also
want to know, what others think about this...


Willi.Langenberger at wu-wien.ac.at                Fax: +43/1/31336/9207
Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria

More information about the Zope-PAS mailing list