Hash: SHA1

André Roth wrote:

> I a standard Turbogears 2 project Users can be member of Groups which
> grant certain Permissions.
> However, I try to configure the tg2 app using a who.ini file, allowing
> LDAP users to login as well as the standard users.
> I am working on the repoze.who.plugins.ldap plugin.
> This works fine so far, but the local users do no longer have the group
> and permission metadata set.
> in my who.ini file I have:
> [plugin:sa_mdp]
> use = repoze.who.plugins.sa:make_sa_user_mdprovider
> user_class = prjmodel:User
> dbsession = prj.model:DBSession
> [mdproviders]
> plugins =
>         sa_mdp
> This mdprovider only sets a few attributes from the User table, since it
> doesn't know about the
> group and permission table.
> In contrast the tg2 application config:
> # Configure the authentication backend
> base_config.auth_backend = 'sqlalchemy'
> base_config.sa_auth.dbsession = model.DBSession
> # what is the class you want to use to search for users in the database
> base_config.sa_auth.user_class = model.User
> # what is the class you want to use to search for groups in the database
> base_config.sa_auth.group_class = model.Group
> # what is the class you want to use to search for permissions in the
> database
> base_config.sa_auth.permission_class = model.Permission
> Is there a way to configure the 'sqlalchemy' backend from tg2 in the
> who.ini ?
> I don't really understand how tg2 initializes the repoze stuff and how
> this can be overridden by the who.ini file.

I'm afraid I don't know how TG2 uses repoze.who (isn't it via repoze.what?).

> As a final result, I should be able to grant Permissions to LDAP groups
> in my application.
> As the tg_group_permissions table in the database is not doing type or
> consistency checking,
> I could easily put LDAP groups in there. This would of course not me
> manageable by the catwalk
> engine, but by the management frontend of my app.
> Since this will be IMHO a common usage of LDAP Authentication in tg2 and
> maybe other
> frameworks using repoze, this should maybe be implemented in the
> repoze.who.plugins.ldap ?

repoze.who is deliberately agnostic about any "authorization"
(permissions / roles / whatver) information:  its only job is to
identify the user, including any metadata which can be computed about
the user.

In your case, I would probably write a custom metadata plugin which used
the LDAP group information to compute application-specific groups (the
ones which get permissions assigned in the SQL tables).  See:


for informatino on writing one.

> What are your insights on this ?

Sorry not to have much to offer -- I just didn't want the message to
fall into the bit bucket.

- --
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Repoze-dev mailing list

Reply via email to