[Zope] PAM Authentication & RSA Authentication Manager

Jens Vagelpohl jens at dataflake.org
Wed Feb 2 03:17:12 EST 2005

On Feb 2, 2005, at 5:05, Tom Trelvik wrote:
> 	Okay, excellent point.  But I also don't understand why so many 
> people are using Windows as a *server* for a service that just seems 
> so much better suited for a unix environment (and with so much less 
> overhead), but that's just me.

I keep wondering about the very same thing, trust me ;)

>> You can use the LDAPUserFolder in read-only mode so it does not try 
>> to write back to the directory and store group/role information on 
>> the LDAPUserFolder itself. That way the users log in with the same 
>> credentials *and* you can manage the roles they get in the Zope 
>> context locally. It's just a matter of configuration.
> 	But would that give every user in the LDAP server Zope level access 
> to my server?  I'm still trying to figure out how to select which 
> users from the LDAP server will get accounts on my server.  Do I 
> add/remove the users manually (or programmatically) through Zope?  
> (Sorry for the newbie questions ...)

In a scenario like this you could only restrict by the following:

- where in the DIT you root the search for users
- what specific objectClass you search for

If all your users are in the same place and all the same object classes 
then they would all be able to authenticate. But only those who *you* 
picked out and assigned roles to using the configuration screens would 
get roles assigned to them during login and be authorized to access 
stuff, depending on what roles you assign inside Zope and what 
permissions are assigned to the roles.


More information about the Zope mailing list