I'm trying to determine the best approach to an issue, and would appreciate feedback.
In an enterprise environment with multiple web2py applications, we need a way to manage users / groups. We utilize AD for authentication, and in operating in Python2.7 we are able to use AD and retrieve AD groups. We are running into issues with Python3 in the same setup, and would prefer to have a single web2py instance handle authentication and group membership for all web2py applications to avoid code / resource duplication. I am envisioning three potential solutions and all seem ugly, so I hope I am just missing something obvious. 1 - Create a single web2py app and use as a CAS provider. The issue is that CAS doesn't share group membership, so we would need to develop a mechanism to load an extra field in auth_user with groups the user is a member of, then update those groups in the consumer, and after login, populate the consumer's auth_group and auth_memberships. This is cumbersome, and would result in auth tables spread across several databases, which has a smell. 2 - Have all web2py applications handle auth on their own. The issue is that the code around auth (the login page view, settings, etc) will end up being shared a bunch, and like the first solution, auth tables are spread all over. 3 - Use a shared auth database. This solves the issue of auth tables spread across tons of databases from 1 and 2. If we use CAS to point to a single web2py CAS provider, will we run into any issues with a shared database? This might be the ideal solution, but it seems likley to have small random bugs related to sharing an auth database. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
