I spent approximately a weeks work (spread over a month) to get the PAU
configured with my PostgreSQL database.
When I look at what I am doing now, it seems very complicated. Please have
a look at the following and let me know if I am doing it the hard way.
This may also be helpful for anyone trying to achieve the same result.
Here is my notes:
Notes on Setting up an external authentication system for Zope3
I use an external database to store my data.
1. My Security Model
I have three types of users (principal), members, casting directors and
administrators. The login information (login name, password and roles) are
stored in a relational database. I am migrating a Zope 2 system
exUserFolder based solution.
The Zope3 concept of a role is different from the Zope2 concept. In Zope3,
roles are bundles of permissions only. The user (principal) side of the
functionality is provided by groups.
I configure my security rules in the code using permissions, and I bundle
these permissions for logical users using role ZCML statements.
In the Zope ZMI I configure a PAU with three groups. I map my users
(principals) to the groups from the database. In the Zope ZMI I use the
grant tab in the [top] folder to map the roles to permissions.
Thus my relationships are:
principals -> grouped mapped to groups in database
groups -> mapped to roles in grant at root (ZMI)
roles -> mapped to permissions in ZCML
2. Configuring PAU
I wrote three plugins for the PAU to get this configuration to work.
1. I wrote a PrincipalFolder. The PrincipalFolder provides authentication
for the principals. It also provides lists of principals for Rotterdam
2. I wrote a Group. The Group maps a single group to the members of that
3. I wrote a GroupFolder. The default GroupFolder caches the data in the
Group. To update the default GroupFolder you have to trigger events.
The external database updates do not trigger events so this model has
to be replaced.
I have to do the following configurations:
1. In the manage site -> default folder create a PAU.
2. Configure the credentials plugin. For now I use :
'Zope Realm Basic-Auth (a utility)' and
'No Challenge if Authenticated (a utility)'
3. I select the PAU Plugins tab.
I create my principal Folder
I go back to the PAU Configure Tab and add my Principal Folder to
the Authenicator Plugins
5. I select the PAU Plugins tab
I create my group folder
I select the new group folder
I add three new group objects. The object name maps to the 'role' on
6. I go back to the PAU Configure Tab
I add the new group folder to my Authenticator Plugins
7. I select the registration tab.
I register the PAU
8. I go the the [top]
I select the grant tab
I use this to grant the configured roles to the new groups
9. I edit the page template and add in the following to print out the
logged in person information:
Context: <span tal:replace="nocall: context"></span> <br>
Logged in user: <span tal:replace="request/principal/id"></span> <br>
Groups: <span tal:replace="request/principal/groups"></span> <br>
10. I login with the user from the database. The groups should be
displayed in the developer info block.
This solution requires a second database call to get the group after the
Principal has been configured. I may have to cache when I tune the system.
I have a prefix on the user. The user ids map to prefix + the database
user id. The principal prefix is hard coded in the group folder to
generate compatible zope principal ids.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -