[Zope-dev] LDAPUserFolder
Hi Jens, one question about possibilities of LDAPUserFolder: We decide to install only one LDAPUserFolder in the Root-Folder and configure him to do the authentications against LDAP. In the subfolders we want to install 'LDAPUserFolders' which should not be configured again, but use the top-level LDAPUserFolder. In this 'LDAPUserFolders' there would be done the Groups Management on an base of LDAP-Group to Zope-Role mapping. Do you think it is possible to split this feature from LDAPUserFolder (with a little programming) ? Where should I look on programming and what need I take care about ? Regards, Dirk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPUserFolder
well, if all the user folders are configured the same way *except* for the groups-to-role bit then you should get the functionality you need. it's not trivial to program something that would allow retrieval of a user object at the root and then somehow mangle the list of roles based on where you are in the site. you might be able to patch the folder class so that local roles are computed instead of just looked up, but that's hackish. jens On Wednesday, May 1, 2002, at 08:32 , Dirk Datzert wrote: Hi Jens, one question about possibilities of LDAPUserFolder: We decide to install only one LDAPUserFolder in the Root-Folder and configure him to do the authentications against LDAP. In the subfolders we want to install 'LDAPUserFolders' which should not be configured again, but use the top-level LDAPUserFolder. In this 'LDAPUserFolders' there would be done the Groups Management on an base of LDAP-Group to Zope-Role mapping. Do you think it is possible to split this feature from LDAPUserFolder (with a little programming) ? Where should I look on programming and what need I take care about ? Regards, Dirk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPUserFolder
Jens Vagelpohl schrieb: well, if all the user folders are configured the same way *except* for the groups-to-role bit then you should get the functionality you need. Yes, I expect that. but what if you have 100 user-folders configured and need to change one option ? a lot or work. it's not trivial to program something that would allow retrieval of a user object at the root and then somehow mangle the list of roles based on where you are in the site. What is about the following: Have a central point of Configure, LDAP Schema, Custom Forms for all LDAPUserFolders and Caches, Users, Groups are local ? And do lookups again, not computed. you might be able to patch the folder class so that local roles are computed instead of just looked up, but that's hackish. jens On Wednesday, May 1, 2002, at 08:32 , Dirk Datzert wrote: Hi Jens, one question about possibilities of LDAPUserFolder: We decide to install only one LDAPUserFolder in the Root-Folder and configure him to do the authentications against LDAP. In the subfolders we want to install 'LDAPUserFolders' which should not be configured again, but use the top-level LDAPUserFolder. In this 'LDAPUserFolders' there would be done the Groups Management on an base of LDAP-Group to Zope-Role mapping. Do you think it is possible to split this feature from LDAPUserFolder (with a little programming) ? Where should I look on programming and what need I take care about ? Regards, Dirk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPUserFolder
i guess what you would need is an object that looks like a user folder but most calls are redirected to a second, real, user folder. this object would need to implement the typical user folder API and redirect most calls, but override those methods that retrieve/compute the roles for a given user. jens On Wednesday, May 1, 2002, at 08:59 , Dirk Datzert wrote: Jens Vagelpohl schrieb: well, if all the user folders are configured the same way *except* for the groups-to-role bit then you should get the functionality you need. Yes, I expect that. but what if you have 100 user-folders configured and need to change one option ? a lot or work. it's not trivial to program something that would allow retrieval of a user object at the root and then somehow mangle the list of roles based on where you are in the site. What is about the following: Have a central point of Configure, LDAP Schema, Custom Forms for all LDAPUserFolders and Caches, Users, Groups are local ? And do lookups again, not computed. you might be able to patch the folder class so that local roles are computed instead of just looked up, but that's hackish. jens On Wednesday, May 1, 2002, at 08:32 , Dirk Datzert wrote: Hi Jens, one question about possibilities of LDAPUserFolder: We decide to install only one LDAPUserFolder in the Root-Folder and configure him to do the authentications against LDAP. In the subfolders we want to install 'LDAPUserFolders' which should not be configured again, but use the top-level LDAPUserFolder. In this 'LDAPUserFolders' there would be done the Groups Management on an base of LDAP-Group to Zope-Role mapping. Do you think it is possible to split this feature from LDAPUserFolder (with a little programming) ? Where should I look on programming and what need I take care about ? Regards, Dirk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] copy/paste security
Hi, It is common knowledge that we can restrict access to an object by taking away many of the permissions from the security manager in the ZMI. Especially in the case of some objects like Oracle database connections, you don't want other people to be able to snag your connect string which contains username and password information. However, if a user has access to any folder on the system, they can programatically (and in some cases use the ZMI) copy the objects to anohter location. For example, if a user can view the management screens in a folder, they can copy an object, paste it to another location, give his self Manager local roles, and then view the connect string. This works basically for every object. The problem is the CopySupport._canCopy method, which always returns 1 (true). It looks like this should be overridden for special products, but the base functionality should do some basic permission checking to determine if the object is copyable or should be copied. Below is a diff for OFS/CopySupport which adds a check to _canCopy to look for the Access contents information permission. -Chris -- Christopher N. Deckard | Lead Web Systems Developer [EMAIL PROTECTED]|Engineering Computer Network http://www.ecn.purdue.edu/| Purdue University zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)\005w') --- --- CopySupport.py.orig Wed May 1 14:59:46 2002 +++ CopySupport.py Wed May 1 15:02:34 2002 @@ -382,7 +382,9 @@ def _canCopy(self, op=0): Called to make sure this object is copyable. The op var is 0 for a copy, 1 for a move. -return 1 +if self.REQUEST.AUTHENTICATED_USER.has_permission('Access contents +information', self): +return 1 +return 0 def _notifyOfCopyTo(self, container, op=0): Overide this to be pickly about where you go! If you dont ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Threaded Database Access
I'm using Zope/Zserver 2.2.4, ZODBCDA v3.1.0b2 and SQL Server 2000. I've noticed that pages generated from database querries are definitely single threaded, and these pages are the bulk of my site. My poking around seems to indicate that ZODBCDA is the single-threaded culprit, and some emails from the list over the last couple months seem to confirm that. The volume of my site and the size of the database (hence query response times) are getting to the point that this is a concern. So I'm investigating my options, including: 1) Cluster the web site with multiple single processor machines. 2) Move to a database that Zope supports multi-threaded access to. 3) ? I've been considering a move to Oracle or PostgreSQL/MySQL for other reasons, but I'm not going to do it just for yucks. Extending and populating my site gives better return than porting the database. I'd like to make sure I'll get return on my time investment. I saw an document on the Zope web site from 1999 that talked about labeling Zope DAs Level 1,2 or 3 based on their sophistication, but I don't see any of the current DAs labeled as such. There was text in the Oracle and MySQL DA descriptions that seem to imply multi-threaded behaivor though. I'm looking for the info from the community on: 1. Is the ZODBCDA single-threaded and might that change anytime soon? 2. Can someone confirm that the Oracle, PostgreSQL or MySQL DAs are multi-threaded. 3. Does the multi-threading require using the Zope Session facility or some other feature? (My site uses FSSession.) Thanks in advance for any input. Jeff Nielsen / UgoFast http://www.UgoFast.com [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )