forked from ScoDoc/ScoDoc
672 lines
24 KiB
Plaintext
672 lines
24 KiB
Plaintext
|
The Unenlightened Zopistas Guide to exUserFolder.
|
||
|
(C) 2001-2003 Andrew Milton <akm@theinternet.com.au>
|
||
|
|
||
|
0. INTRODUCTION.
|
||
|
|
||
|
exUserFolder is an extensible authentication product for the Zope
|
||
|
Application Server. It allows a user to choose from a number of
|
||
|
methods of authenticating their users, and allows the setting and
|
||
|
fetching of arbitrary properties on a User object.
|
||
|
|
||
|
Authentication methods, and Property methods do not have to use the
|
||
|
same backing store, so it is possible to use legacy user sources, and
|
||
|
still have configuration information stored about a user.
|
||
|
|
||
|
exUserFolder supports HTTP Basic Authentication, and the so called
|
||
|
Cookie Authentication schemes popular with most webservers.
|
||
|
|
||
|
0.1 Audience.
|
||
|
|
||
|
Everybody, and Nobody. If we build our product correctly, we shouldn't
|
||
|
need user documentation, that's why Nobody. For some reason, normal
|
||
|
sane people seem to lose all of their common sense when sitting in
|
||
|
front of a computer. To the point where plain messages e.g. "Please
|
||
|
Insert a Floppy", evoke a response of "What does that mean?" So that's
|
||
|
why this document is for Everybody.
|
||
|
|
||
|
This is not a guide for writing your own authentication, property, or
|
||
|
membership sources. You need the Zen Masters Guide to exUserFolder
|
||
|
document for that.
|
||
|
|
||
|
|
||
|
1. GETTING STARTED
|
||
|
|
||
|
exUserFolder requires Python 2.1 or above (may work with older
|
||
|
pythons, but, this is not supported). And has been tested on Zope
|
||
|
2.3.0 and above (including 2.4.3).
|
||
|
|
||
|
exUserFolder comes as a source tarball, and it does not rely on any
|
||
|
outside dependencies to be work. Some items may require additional
|
||
|
products to be installed in your Zope tree, but, simply will not
|
||
|
appear if these are not available. Some items may also require
|
||
|
external products to add functionality to them, but, at no time should
|
||
|
the Product not install because of these dependencies.
|
||
|
|
||
|
|
||
|
1.1 Installing exUserFolder.
|
||
|
|
||
|
Unpack exUserFolder in your Products directory. This can be achieved by
|
||
|
executing the following on most UNIX systems.
|
||
|
|
||
|
gzip -d -c exUserFolder-Ma_Mi_u.tgz | tar xvf -
|
||
|
|
||
|
where exUserFolder-Ma_Mi_u.tgz is the version of exUserFolder you have
|
||
|
downloaded.
|
||
|
|
||
|
On systems that have the GNU tar this can be shortened to;
|
||
|
|
||
|
tar zxvf exUserFolder-Ma_Mi_u.tgz
|
||
|
|
||
|
You should restart Zope after unpacking. Installing the product will not
|
||
|
affect your Zope installation in anyway.
|
||
|
|
||
|
If you go to Folder inside your Zope Management Interface, you should see
|
||
|
exUserFolder as a dropdown item near the bottom somewhere.
|
||
|
|
||
|
Congratulations, it's installed.
|
||
|
|
||
|
|
||
|
2. AUTHENTICATION SOURCES AND YOU.
|
||
|
|
||
|
The only mandatory component of an exUserFolder installation, is
|
||
|
choosing an Authentication Source. There are six Authentication
|
||
|
Sources to choose from in the default install. There are other add-on
|
||
|
Sources available from other parties.
|
||
|
|
||
|
Each Authentication Source is different, and assumes at least some
|
||
|
knowledge of that type of authentication scheme.
|
||
|
|
||
|
Most if not all sources store the password encrypted in some
|
||
|
manner. This means that discovering other people's passwords is going
|
||
|
to be more difficult, than with the standard user folder that comes
|
||
|
with Zope.
|
||
|
|
||
|
By default crypt or fcrypt are used, which is are DES encryption
|
||
|
methods. While this is not the strongest, fastest, choose another
|
||
|
superlative, of encryption techniques, it is certainly adequate for
|
||
|
protecting webpages.
|
||
|
|
||
|
In a later release exUserFolder will allow you to choose what method
|
||
|
is used for password hashing.
|
||
|
|
||
|
Some Authentication Sources can list the users that are available,
|
||
|
some cannot (or will not). Some allow you to add users, and others do
|
||
|
not. What features are availble depend on the individual
|
||
|
Authentication Source.
|
||
|
|
||
|
|
||
|
2.1 ZODB Authentication Source
|
||
|
|
||
|
The ZODB Authentication Source operates just like a normal User
|
||
|
Folder. It stores its authentication items in the ZODB as the name
|
||
|
suggests. This is the simplest folder to setup, requiring no
|
||
|
parameters.
|
||
|
|
||
|
Choosing ZODB Authentication Source is recommended for testing your install.
|
||
|
|
||
|
|
||
|
2.2 File Based Authentication.
|
||
|
|
||
|
File Based Authentication allows you to have a fixed set of users in a
|
||
|
file with their encrypted passwords. The prerequisites for this are
|
||
|
somewhat convoluted.
|
||
|
|
||
|
In the root of your Zope Installation, on the actual file system (not
|
||
|
in the ZODB), create a directory called exUsers. Make sure that Zope
|
||
|
has access to that directory.
|
||
|
|
||
|
This is the directory where you will create your files.
|
||
|
|
||
|
This is a read only Authentication Source. You will not be able to
|
||
|
create users, or modify their passwords. You can change their roles if you
|
||
|
choose a Property Source.
|
||
|
|
||
|
There are two parameters asked for;
|
||
|
|
||
|
2.2.1 Password File
|
||
|
|
||
|
This is the name of the file that contains your users and passwords.
|
||
|
It should be of the format;
|
||
|
|
||
|
username:cryptedPassword
|
||
|
user2:otherCryptedPasswd
|
||
|
|
||
|
I can contain other fields after the password also delimited by : but these
|
||
|
will not be ussed.
|
||
|
|
||
|
This file should exist inside the exUsers directory.
|
||
|
|
||
|
2.2.2 Default Role
|
||
|
|
||
|
This is the role that all users should be given when the log in. Because this
|
||
|
is a Read Only authentication source, you may not be able to add Roles at a
|
||
|
later date.
|
||
|
|
||
|
|
||
|
2.3 Postgresql Authentication Source
|
||
|
|
||
|
Postgresql Authentication source is an RDBMS backed user store. You
|
||
|
can add, change, and list users. It requires a Postgresql Database
|
||
|
Connection to be created before creating the User Folder.
|
||
|
|
||
|
You should be familiar with databases, and with your schema before
|
||
|
using this Authentication Source. If you don't already have a table
|
||
|
structure in place, a default schema is provided called 'pgScheme.sql'
|
||
|
in the exUserFolder distribution.
|
||
|
|
||
|
The required schema is very simple. You need to store usernames,
|
||
|
passwords, and roles. If your existing schema doesn't support a roles
|
||
|
column you will have to add one.
|
||
|
|
||
|
The configuration scheme looks daunting, but, it is setup to use the
|
||
|
defaults for 'pgScheme.sql' so if you're using this you can safely
|
||
|
continue.
|
||
|
|
||
|
We will run through the items.
|
||
|
|
||
|
2.3.1 Database Connection
|
||
|
|
||
|
If you have any database connections, they will be listed in the drop
|
||
|
down box. Choose the one that represents your connection to your users
|
||
|
table.
|
||
|
|
||
|
2.3.2 Table Name
|
||
|
|
||
|
This is the name of the table containing your users. If you have a
|
||
|
different table to the default, you should change it here.
|
||
|
|
||
|
2.3.3 Username Column
|
||
|
|
||
|
This is the name of the column inside your table that contains the
|
||
|
usernames or logins of your users. This should contain exactly what
|
||
|
the user needs to type in as their username.
|
||
|
|
||
|
|
||
|
2.3.4 Password Column
|
||
|
|
||
|
This is the name of the column inside your table that contains the
|
||
|
encrypted passwords of your users.
|
||
|
|
||
|
|
||
|
2.3.5 Roles Column
|
||
|
|
||
|
This is where the roles are stored. These are used to provide access
|
||
|
to items in Zope.
|
||
|
|
||
|
|
||
|
2.4 User Supplied Authentication Source
|
||
|
|
||
|
This allows you to create your methods in DTML, PythonScripts,
|
||
|
External Methods, or any other callable Zope item for listing,
|
||
|
authenticating, adding and changing your users.
|
||
|
|
||
|
It is beyond the scope of this guide to describe how to do this, but,
|
||
|
the API is quite well defined inside the source, and also in the
|
||
|
README.API document.
|
||
|
|
||
|
This Authentication Source has no configuration parameters.
|
||
|
|
||
|
|
||
|
2.5 RADIUS Authentication Source
|
||
|
|
||
|
This allows you to authenticate your users against a RADIUS server. If
|
||
|
you don't know what this means, then this User Source is not for you
|
||
|
:-)
|
||
|
|
||
|
You will require a RADIUS server to be operating, and for the server
|
||
|
that Zope is running on to have access to it. You will also need to
|
||
|
know the secret key to access the RADIUS server.
|
||
|
|
||
|
2.5.1 Host
|
||
|
|
||
|
This is the host your RADIUS server is running on.
|
||
|
|
||
|
2.5.2 Port
|
||
|
|
||
|
This is the port your RADIUS server is running on. Older installs may
|
||
|
require this to be 1645. The new 'blessed' port by IANA is 1812, and
|
||
|
this is now the default port.
|
||
|
|
||
|
2.5.3 Secret
|
||
|
|
||
|
Every remote host has a secret key it has to share with the server in
|
||
|
order to gain access to the authentication server. You need to know
|
||
|
this.
|
||
|
|
||
|
2.5.4 Retries
|
||
|
|
||
|
Because this is a networked authentication service, errors can
|
||
|
occur. This sets the number of times it will try to authenticate
|
||
|
before giving up.
|
||
|
|
||
|
2.5.5 Timeout
|
||
|
|
||
|
This is how long the RADIUS authenticator will wait for a
|
||
|
response. Because RADIUS operates over UDP, which is a connectionless
|
||
|
protocol, answers may never come back, or never reach their
|
||
|
destination in the first place.
|
||
|
|
||
|
The default is 5 seconds which is actually quite a long time.
|
||
|
|
||
|
|
||
|
2.6 SMB Authentication Source
|
||
|
|
||
|
This source allows you to authenticate your users in a Microsoft
|
||
|
Environment, using the SMB protocols. This is not the same as
|
||
|
authenticating via Directory Services.
|
||
|
|
||
|
If your SMB server requires passwords to be encrypted in transit, you'll
|
||
|
need to install mxCrypto.
|
||
|
|
||
|
2.6.1 Host
|
||
|
|
||
|
This is the host that your Authentication service is on, this is
|
||
|
normally an NT or Win2K server, but, it can also be a UNIX box running
|
||
|
Samba. This should be the NetBIOS name of the server.
|
||
|
|
||
|
2.6.2 Domain
|
||
|
|
||
|
This is the NT/Windows DOMAIN that the user is to authenticate
|
||
|
against.
|
||
|
|
||
|
2.6.3 WINS Server IP Address (optional)
|
||
|
|
||
|
If provided, this should be the IP address of the WINS server to be
|
||
|
queried to locate your auth host (see 2.5.1 above).
|
||
|
|
||
|
If you leave this field empty, the location of the authentication host
|
||
|
will be queried by broadcast, which works just fine if the Zope
|
||
|
machine is on the same subnet as your auth host but not if the auth
|
||
|
host is across a subnet link or if it's in the same machine as Zope
|
||
|
(don't ask. Apparently, some braindmamaged creature at M$ decided that
|
||
|
a machine shouldn't answer to its own broadcasts no matter what)
|
||
|
|
||
|
Fill in this field if you are getting "NetBIOSTimeout" errors but you
|
||
|
are sure that your auth host was specified correctly, or if Windows
|
||
|
machines in your subnet also use a WINS server.
|
||
|
|
||
|
|
||
|
2.7 LDAP Authentication
|
||
|
|
||
|
This source allows you to authenticate your users against an LDAP
|
||
|
server. This code is based on the auth_ldap module for Apache. The
|
||
|
documentation for these parameters is unashamedly lifted directly from
|
||
|
the documentation of the Apache directives for auth_ldap.
|
||
|
|
||
|
See: http://www.rudedog.org/auth_ldap/
|
||
|
|
||
|
You must choose a property source when using LDAP Authentication, all
|
||
|
of the properties associated with the LDAP user entry are stored as
|
||
|
properties when they authenticate. Items with multiple entries are
|
||
|
stored as a list of items.
|
||
|
|
||
|
You will need the pyLDAP module installed to use this authsource.
|
||
|
If you don't have it installed, you will not see an LDAP Auth Source available
|
||
|
for use.
|
||
|
|
||
|
2.7.1 URL
|
||
|
|
||
|
An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax
|
||
|
of the URL is
|
||
|
ldap://host:port/basedn?attribute?scope?filter
|
||
|
|
||
|
ldap For regular ldap, use the string ldap. For secure LDAP, use ldaps
|
||
|
instead. Secure LDAP is only available if auth_ldap was compiled with
|
||
|
SSL support.
|
||
|
host:port The name/port of the ldap server (defaults to localhost:389 for ldap,
|
||
|
and localhost:636 for ldaps).
|
||
|
|
||
|
Once a connection has been made to a server, that connection remains
|
||
|
active for the life of the Zope process, or until the LDAP server
|
||
|
goes down.
|
||
|
|
||
|
If the LDAP server goes down and breaks an existing connection,
|
||
|
the Auth Source will attempt to re-connect
|
||
|
|
||
|
basedn The DN of the branch of the directory where all searches should start
|
||
|
from. At the very least, this must be the top of your directory tree,
|
||
|
but could also specify a subtree in the directory.
|
||
|
|
||
|
attribute The attribute to search for. Although RFC 2255 allows a
|
||
|
comma-separated list of attributes, only the first attribute will be
|
||
|
used, no matter how many are provided. If no attributes are provided,
|
||
|
the default is to use uid. It's a good idea to choose an attribute
|
||
|
that will be unique across all entries in the subtree you will be
|
||
|
using.
|
||
|
|
||
|
scope The scope of the search. Can be either one or sub. Note that a scope
|
||
|
of base is also supported by RFC 2255, but is not supported by this
|
||
|
module. If the scope is not provided, or if base scope is specified,
|
||
|
the default is to use a scope of sub.
|
||
|
|
||
|
filter A valid LDAP search filter. If not provided, defaults to (objectClass
|
||
|
=*), which will search for all objects in the tree.
|
||
|
|
||
|
When doing searches, the attribute, filter and username passed by the HTTP
|
||
|
client are combined to create a search filter that looks like (&(filter)
|
||
|
(attribute=username)).
|
||
|
|
||
|
For example, consider an URL of ldap://ldap.xuf.com/o=XUF?cn?sub?(posixid
|
||
|
=*). When a client attempts to connect using a username of The Jester, the
|
||
|
resulting search filter will be (&(posixid=*)(cn=The Jester)).
|
||
|
|
||
|
|
||
|
2.7.2 Bind DN
|
||
|
|
||
|
An optional Distinguished Name user to bind to the server when searching
|
||
|
for entries. If not provided an Anonymous bind will be used.
|
||
|
|
||
|
2.7.3 Bind Password.
|
||
|
A bind password to use in conjunction with the bind DN. Note that the bind
|
||
|
password is probably sensitive data, and should be properly protected. You
|
||
|
should only use the Bind DN and Bind Password if you absolutely
|
||
|
need them to search the directory.
|
||
|
|
||
|
2.7.4 Cert DB Path
|
||
|
|
||
|
Specifies in which directory LDAP Auth Source should look for the certificate
|
||
|
authorities database. There should be a file named cert7.db in that directory.
|
||
|
|
||
|
2.7.5 Compare DN On Server
|
||
|
|
||
|
When set, LDAP Auth Source will use the LDAP server to compare the
|
||
|
DNs. This is the only foolproof way to compare DNs. LDAP Auth Source
|
||
|
will search the directory for the DN specified with the require dn
|
||
|
directive, then, retrieve the DN and compare it with the DN retrieved
|
||
|
from the user entry. If this directive is not set, LDAP Auth Source
|
||
|
simply does a string comparison. It is possible to get false negatives
|
||
|
with this approach, but it is much faster. Note the LDAP Auth Source cache
|
||
|
can speed up DN comparison in most situations.
|
||
|
|
||
|
2.7.6 Dereference Aliases
|
||
|
|
||
|
This directive specifies when LDAP Auth Source will de-reference
|
||
|
aliases during LDAP operations. The default is always.
|
||
|
|
||
|
2.7.7 Group Attribute is DN
|
||
|
|
||
|
When set, this directive says to use the distinguished name of the
|
||
|
client username when checking for group membership. Otherwise, the
|
||
|
username will be used. For example, assume that the client sent the
|
||
|
username tjester, which corresponds to the LDAP DN cn=The Jester,
|
||
|
o=XUF. If this directive is set, LDAP Auth Source will check if the
|
||
|
group has cn=The Jester, o=XUF as a member. If this directive is not
|
||
|
set, then LDAP Auth Source will check if the group has tjester as a
|
||
|
member.
|
||
|
|
||
|
2.7.8 Compare Cache Size
|
||
|
|
||
|
This specifies the size of the cache used to cache LDAP compare
|
||
|
operations. The default is 1024 entries. Setting it to 0 disables
|
||
|
operation caching.
|
||
|
|
||
|
2.7.9 Compare Cache TTL
|
||
|
|
||
|
Specifies the time (in seconds) that entries in the operation cache
|
||
|
remain valid. The default is 600 seconds.
|
||
|
|
||
|
2.7.10 Start TLS
|
||
|
|
||
|
If this is set to Yes, LDAP Auth Source will start a secure TLS
|
||
|
session after connecting to the LDAP server. This requires your LDAP
|
||
|
server to support TLS.
|
||
|
|
||
|
2.7.11 Require User (one per line)
|
||
|
|
||
|
The require user directive specifies what usernames can access the
|
||
|
resource. Once LDAP Auth Source has retrieved a unique DN from the
|
||
|
directory, it does an LDAP compare operation using the username
|
||
|
specified in the require user to see if that username is part of the
|
||
|
just-fetched LDAP entry. Multiple users can be granted access by
|
||
|
putting multiple usernames in the box, separated with newlines. For
|
||
|
example, with a AuthLDAPURL of ldap://ldap/o=XUF?cn (i.e., cn is used
|
||
|
for searches), the following require entries could be used to restrict
|
||
|
access: The Jester Fred User Joe Manager
|
||
|
|
||
|
Because of the way that LDAP Auth Source handles this directive, The
|
||
|
Jester could sign on as The Jester, Zen Jester or any other cn that he
|
||
|
has in his LDAP entry. Only the single require user line is needed to
|
||
|
support all values of the attribute in the user's entry.
|
||
|
|
||
|
If the uid attribute was used instead of the cn attribute in the URL
|
||
|
above, the above three lines could be;
|
||
|
|
||
|
tj
|
||
|
fred_u
|
||
|
jmanager
|
||
|
|
||
|
2.7.12 Require Group (one per line)
|
||
|
|
||
|
This directive specifies an LDAP group whose members are allowed
|
||
|
access. It takes the distinguished name of the LDAP group. For
|
||
|
example, assume that the following entry existed in the LDAP
|
||
|
directory:
|
||
|
|
||
|
dn: cn=Administrators, o=XUF
|
||
|
objectClass: groupOfUniqueNames
|
||
|
uniqueMember: cn=The Jester, o=XUF
|
||
|
uniqueMember: cn=Fred User, o=XUF
|
||
|
|
||
|
The following directive would grant access to both Fred and Jester:
|
||
|
|
||
|
require group cn=Administrators, o=XUF
|
||
|
|
||
|
Behavior of this directive is modified by the Group Attribute and
|
||
|
Group Attribute Is DN options.
|
||
|
|
||
|
2.7.13 Require DN
|
||
|
|
||
|
The require dn option allows the administrator to grant access based
|
||
|
on distinguished names. It specifies a DN that must match for access
|
||
|
to be granted. If the distinguished name that was retrieved from the
|
||
|
directory server matches the distinguished name in the require dn,
|
||
|
then authorization is granted.
|
||
|
|
||
|
The following directive would grant access to a specific DN:
|
||
|
require dn cn=The Jester, o=XUF
|
||
|
|
||
|
Behavior of this directive is modified by the Compare DN On Server option.
|
||
|
|
||
|
2.7.14 Default Manager
|
||
|
|
||
|
This allows you to specify the username of the Manager for this area.
|
||
|
The manager will still need to meet auth requirements above, but, if
|
||
|
they do they will get the 'Manager' role added to their list of roles.
|
||
|
|
||
|
2.7.15 Default Role
|
||
|
|
||
|
This is a role to be assigned to users when they auth correctly. This
|
||
|
is to differentiate them from merely being 'authenticated'.
|
||
|
|
||
|
2.7.16 Examples
|
||
|
|
||
|
* Grant access to anyone who exists in the LDAP directory, using their UID
|
||
|
for searches.
|
||
|
URL ldap://ldap1.zope.com:389/ou=People, o=XUF?uid?sub?(objectClass=*)
|
||
|
|
||
|
* The next example is similar to the previous one, but is uses the common
|
||
|
name instead of the UID. Note that this could be problematical if multiple
|
||
|
people in the directory share the same cn, because a search on cn must
|
||
|
return exactly one entry. That's why this approach is not recommended: it's
|
||
|
a better idea to choose an attribute that is guaranteed unique in your
|
||
|
directory, such as uid.
|
||
|
URL ldap://ldap.zope.com/ou=People, o=XUF?cn
|
||
|
|
||
|
* Grant access to anybody in the Administrators group. The users must
|
||
|
authenticate using their UID.
|
||
|
URL ldap://ldap.zope.com/o=XUF?uid
|
||
|
require group:
|
||
|
cn=Administrators, o=XUF
|
||
|
|
||
|
* The next example assumes that everyone at XUF who carries an
|
||
|
alphanumeric pager will have an LDAP attribute of qpagePagerID. The example
|
||
|
will grant access only to people (authenticated via their UID) who have
|
||
|
alphanumeric pagers:
|
||
|
URL: ldap://ldap.zope.com/o=XUF?uid??(qpagePagerID=*)
|
||
|
|
||
|
* The next example demonstrates the power of using filters to accomplish
|
||
|
complicated administrative requirements. Without filters, it would have
|
||
|
been necessary to create a new LDAP group and ensure that the group's
|
||
|
members remain synchronized with the pager users. This becomes trivial with
|
||
|
filters. The goal is to grant access to anyone who has a filter, plus grant
|
||
|
access to Joe Manager, who doesn't have a pager, but does need to access
|
||
|
the same resource:
|
||
|
URL ldap://ldap.zope.com/o=XUF?uid??(|(qpagePagerID=*)(uid=jmanager))
|
||
|
|
||
|
This last may look confusing at first, so it helps to evaluate what the
|
||
|
search filter will look like based on who connects, as shown below.
|
||
|
If Fred User connects as fuser, the filter would look like
|
||
|
|
||
|
(&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))
|
||
|
|
||
|
The above search will only succeed if fuser has a pager. When Joe Manager
|
||
|
connects as jmanager, the filter looks like
|
||
|
|
||
|
(&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))
|
||
|
|
||
|
The above search will succeed whether jmanager has a pager or not.
|
||
|
|
||
|
|
||
|
2.8 General Items.
|
||
|
|
||
|
You can choose to use standard auth, or cookie auth, and you can
|
||
|
decide how long you want to cache the users credentials before
|
||
|
retrying.
|
||
|
|
||
|
2.8.1 Authentication Type
|
||
|
|
||
|
2.8.1.1 Standard Authentication
|
||
|
|
||
|
This method causes the browser to pop up a dialog box to ask for the
|
||
|
username and password.
|
||
|
|
||
|
2.8.1.2 Cookie Authentication
|
||
|
|
||
|
This method allows you to use a normal HTML form to get the username
|
||
|
and password from the user. It also will present the default form to
|
||
|
the user if they try to access an unauthorised area.
|
||
|
|
||
|
|
||
|
2.8.1.3 Secure Cookie based Authentication
|
||
|
|
||
|
This method, like Cookie Authentication allows you to use a HTML form
|
||
|
to get the user details. However, the cookie it uses does not contain
|
||
|
any login information. It is internally checked against a cache of
|
||
|
hashes and the information is derived from that. This cache disappears
|
||
|
if you restart Zope, so this is not a good option for people who want
|
||
|
to persistently cache logins across sessions.
|
||
|
|
||
|
|
||
|
2.8.2 Credential Cache Timeout in Seconds
|
||
|
|
||
|
exUserFolder by default caches credential information, so that the
|
||
|
authorisation source isn't hit *for every object and page* that has to
|
||
|
be fetched. For remote authentication services this can slow things
|
||
|
down quite considerably. Even setting this to a modest setting will
|
||
|
quicken response times.
|
||
|
|
||
|
Setting this too long could cause problems if you want to lock out a
|
||
|
troublesome user. The credential cache is flushed if someone provides
|
||
|
a password that doesn't match the one in the cache.
|
||
|
|
||
|
|
||
|
2.8.3 Negative Credential Cache Timeout in Seconds
|
||
|
|
||
|
exUserFolder allows you to cache login failures for users that do not
|
||
|
exist. This means you don't have to go out to your auth source when
|
||
|
you know for certain this user is never going to be able to
|
||
|
authenticate.
|
||
|
|
||
|
Due to the way some auth sources are designed, this doesn't work for
|
||
|
auth sources like SMB Auth Source that lie initially about the user
|
||
|
existing (because you can't verify the existence of a user without
|
||
|
authenticating them), and then check the credentials later.
|
||
|
|
||
|
It's possible to create a hybrid auth source that lets this work
|
||
|
correctly for auth sources that can't list the users.
|
||
|
|
||
|
|
||
|
2.8.4 Log out users who expire from cache?
|
||
|
|
||
|
If you've got caching turned on, then this will force any user who has
|
||
|
their session expire to login again. Some people like to do this.
|
||
|
|
||
|
|
||
|
2.8.5 Activate Session Tracking for anoymous users?
|
||
|
|
||
|
For any anonymous user, a new temporary user is created. This allows
|
||
|
you to set/get properties for anonymous users too. Currently
|
||
|
experimental.
|
||
|
|
||
|
|
||
|
3.0 PROPERTY SOURCES
|
||
|
|
||
|
4.0 MEMBERSHIP SOURCES
|
||
|
|
||
|
5.0 TIPS FOR THE UNWARY
|
||
|
|
||
|
Generally these things apply to Cookie Authentication models, since
|
||
|
there is additional access required to present the login form.
|
||
|
|
||
|
5.1 Too much protection.
|
||
|
|
||
|
A lot of people try to protect a folder by placing an exUserFolder
|
||
|
inside. They then change the permissions on this folder to only allow
|
||
|
Authenticated or some Local Role to have permission.
|
||
|
|
||
|
5.1.1 The problem
|
||
|
|
||
|
When you try to access the folder, instead of getting the form, you
|
||
|
get a popup box, even though you chose Cookie Authentication. Even
|
||
|
when you enter a username and password it doesn't work.
|
||
|
|
||
|
|
||
|
5.1.2 What happened
|
||
|
|
||
|
You tried to access an area you don't have access to. Zope found the
|
||
|
closest user folder to the object you were trying to access. The user
|
||
|
folder decided you were not authorised and tried to display the login
|
||
|
form. You don't have access to view the login form, so Zope finds the
|
||
|
nearest user folder to the login form, which is the user folder above
|
||
|
the protected directory. It pops up the authentication dialog. If you
|
||
|
put in a valid username and password for this top level, then lower
|
||
|
level then displays the login form.
|
||
|
|
||
|
5.1.3 Solution 1 (preferred).
|
||
|
|
||
|
Place the user folder one level *above* the folder you want to protect,
|
||
|
that is in the unprotected area. Everything should work fine.
|
||
|
|
||
|
5.1.4. Solution 2 (not so preferred).
|
||
|
|
||
|
Set the 'View' permission on the docLogin form inside the acl_users
|
||
|
folder. You can get there by Choosing 'Contents' on docLogin and
|
||
|
scrolling down to the bottom.
|
||
|
|
||
|
6.0 MISCELLANY
|
||
|
|
||
|
6.1 Adding an exUserFolder from a product.
|
||
|
|
||
|
You can add an exUserFolder from a Python product fairly easily, if
|
||
|
not a tad messily.
|
||
|
|
||
|
|
||
|
from Products.exUserFolder.exUserFolder import manage_addexUserFolder, eUserFolder
|
||
|
|
||
|
manage_addexUserFolder(authId='zodbAuthSource', propId='zodbPropSource',
|
||
|
memberId='basicMemberSource',
|
||
|
cookie_mode=1, session_length=600, REQUEST)
|
||
|
|
||
|
Obviously change authId, propId, and memberId to what you want.
|
||
|
However, you'll need to ram in the appropriate form fields for the various
|
||
|
source constructors into your REQUEST.
|
||
|
|
||
|
6.2 Session Tracking.
|
||
|
|
||
|
Session tracking (currently) relies on having the credential cache
|
||
|
active, and a property source active. Your trackable user will only
|
||
|
last as long as they are not expired from the cache. You should set
|
||
|
the cache expiry length to be somewhat longer than normal if you plan
|
||
|
to use Session Tracking, and you should also be prepared to check that
|
||
|
the current session is valid.
|