[Zope] RE: FW: [Zope-dev] pam authentication support with PyPam

Alexander Staubo alex@mop.no
Tue, 2 Nov 1999 19:50:43 +0100 

> From: Michel Pelletier [mailto:michel@digicool.com]
> Sent: 2. november 1999 17:13
> To: Alexander Staubo; zope-dev@zope.org
> Subject: Re: FW: [Zope-dev] pam authentication support with PyPam
> 
> > > The first is the fact that only user folders are accumulative
> > > only at folder boundaries. You cannot create one UserFolder
> > > and one NTUserFolder at the same level and have them co-opt
> > > the user authentication responsibility.
> 
> I think this is a good idea, I wonder if the Generic User Folder
> recently prototyped (hey, who did that? I can't find any 
> artifacts to it
> anywhere) does this.

Stuart Bishop (zen@cs.rmit.edu.au).

> > > The second, more serious gripe is with the security
> > > permission model. Look at NT 4.0 and the security UI that
> > > comes with SP4/SP5's Security Configuration Manager for a
> > > good example (installing it will upgrade NT's security
> > > dialogs with a new UI).
> 
> <snip good stuff>
> 
> There are really deep and fundamental issues, I can see exactly what
> you're talking about, but implimentation could take a while, 
> last time i
> looked at the security system I shuddered.
> 
> Have you looked into implimentation?  This is sort of a seperate issue
> from the user folder abstraction thing.

I have not, and I'm not sure I want to touch that part of Zope. :-)

While what I'm proposing is pretty radical, I believe it is necessary.

Instead of a plug-in folder architecture, why not simply permit multiple
user folders sharing the same folder? The only issue with this is, I
suspect, that it would be difficult to arrange any sort of
prioritization -- you could not specify that one user folder should take
priority over another, unless perhaps each folder had a priority
attribute assigned to it.

Another angle could be a user database object. Each user database would
be essentially be a folder containing one or more multiple user folders,
and would simply iterate through its children to authenticate a user.

It seems a healthy, detailed discussion is in order.

> 
> -Michel
> 

-- 
Alexander Staubo             http://www.mop.no/~alex/
"Reality is that which, when you stop believing in it, doesn't go
away." --Philip K. Dick