-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André Roth wrote:
> I a standard Turbogears 2 project Users can be member of Groups which > grant certain Permissions. > However, I try to configure the tg2 app using a who.ini file, allowing > LDAP users to login as well as the standard users. > I am working on the repoze.who.plugins.ldap plugin. > This works fine so far, but the local users do no longer have the group > and permission metadata set. > > in my who.ini file I have: > > [plugin:sa_mdp] > use = repoze.who.plugins.sa:make_sa_user_mdprovider > user_class = prjmodel:User > dbsession = prj.model:DBSession > > [mdproviders] > plugins = > sa_mdp > > This mdprovider only sets a few attributes from the User table, since it > doesn't know about the > group and permission table. > > In contrast the tg2 application config: > > # Configure the authentication backend > base_config.auth_backend = 'sqlalchemy' > base_config.sa_auth.dbsession = model.DBSession > # what is the class you want to use to search for users in the database > base_config.sa_auth.user_class = model.User > # what is the class you want to use to search for groups in the database > base_config.sa_auth.group_class = model.Group > # what is the class you want to use to search for permissions in the > database > base_config.sa_auth.permission_class = model.Permission > > Is there a way to configure the 'sqlalchemy' backend from tg2 in the > who.ini ? > > I don't really understand how tg2 initializes the repoze stuff and how > this can be overridden by the who.ini file. I'm afraid I don't know how TG2 uses repoze.who (isn't it via repoze.what?). > As a final result, I should be able to grant Permissions to LDAP groups > in my application. > As the tg_group_permissions table in the database is not doing type or > consistency checking, > I could easily put LDAP groups in there. This would of course not me > manageable by the catwalk > engine, but by the management frontend of my app. > > Since this will be IMHO a common usage of LDAP Authentication in tg2 and > maybe other > frameworks using repoze, this should maybe be implemented in the > repoze.who.plugins.ldap ? repoze.who is deliberately agnostic about any "authorization" (permissions / roles / whatver) information: its only job is to identify the user, including any metadata which can be computed about the user. In your case, I would probably write a custom metadata plugin which used the LDAP group information to compute application-specific groups (the ones which get permissions assigned in the SQL tables). See: http://docs.repoze.org/who/narr.html#writing-a-metadata-provider-plugin for informatino on writing one. > What are your insights on this ? Sorry not to have much to offer -- I just didn't want the message to fall into the bit bucket. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKoCEF+gerLs4ltQ4RAuk1AJoCuTPJeXuOOXjTLIo4t0R44lZ65gCgnWVX lChOOaHV0VnI1PgmLLyu+Mo= =Jjs+ -----END PGP SIGNATURE----- _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev