I spent approximately a weeks work (spread over a month) to get the PAU configured with my PostgreSQL database.
When I look at what I am doing now, it seems very complicated. Please have a look at the following and let me know if I am doing it the hard way. This may also be helpful for anyone trying to achieve the same result. Here is my notes: Notes on Setting up an external authentication system for Zope3 =============================================================== I use an external database to store my data. 1. My Security Model ===================== I have three types of users (principal), members, casting directors and administrators. The login information (login name, password and roles) are stored in a relational database. I am migrating a Zope 2 system exUserFolder based solution. The Zope3 concept of a role is different from the Zope2 concept. In Zope3, roles are bundles of permissions only. The user (principal) side of the functionality is provided by groups. I configure my security rules in the code using permissions, and I bundle these permissions for logical users using role ZCML statements. In the Zope ZMI I configure a PAU with three groups. I map my users (principals) to the groups from the database. In the Zope ZMI I use the grant tab in the [top] folder to map the roles to permissions. Thus my relationships are: principals -> grouped mapped to groups in database groups -> mapped to roles in grant at root (ZMI) roles -> mapped to permissions in ZCML 2. Configuring PAU =================== I wrote three plugins for the PAU to get this configuration to work. 1. I wrote a PrincipalFolder. The PrincipalFolder provides authentication for the principals. It also provides lists of principals for Rotterdam UI. 2. I wrote a Group. The Group maps a single group to the members of that group. 3. I wrote a GroupFolder. The default GroupFolder caches the data in the Group. To update the default GroupFolder you have to trigger events. The external database updates do not trigger events so this model has to be replaced. I have to do the following configurations: 1. In the manage site -> default folder create a PAU. 2. Configure the credentials plugin. For now I use : 'Zope Realm Basic-Auth (a utility)' and 'No Challenge if Authenticated (a utility)' 3. I select the PAU Plugins tab. I create my principal Folder I go back to the PAU Configure Tab and add my Principal Folder to the Authenicator Plugins 5. I select the PAU Plugins tab I create my group folder I select the new group folder I add three new group objects. The object name maps to the 'role' on my database 6. I go back to the PAU Configure Tab I add the new group folder to my Authenticator Plugins 7. I select the registration tab. I register the PAU 8. I go the the [top] I select the grant tab I use this to grant the configured roles to the new groups 9. I edit the page template and add in the following to print out the logged in person information: <b>Developer Info:</b><br> Context: <span tal:replace="nocall: context"></span> <br> Logged in user: <span tal:replace="request/principal/id"></span> <br> Groups: <span tal:replace="request/principal/groups"></span> <br> 10. I login with the user from the database. The groups should be displayed in the developer info block. Issues ====== This solution requires a second database call to get the group after the Principal has been configured. I may have to cache when I tune the system. I have a prefix on the user. The user ids map to prefix + the database user id. The principal prefix is hard coded in the group folder to generate compatible zope principal ids. _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )