[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fle3-dev] Rethinking Fle3 user accounts
From: |
Tarmo Toikkanen |
Subject: |
[Fle3-dev] Rethinking Fle3 user accounts |
Date: |
Fri May 10 09:03:01 2002 |
The following is quoted from bug #386, which I posted a few days ago:
When a valid Zope user tries to enter Fle3, but he doesn't have a
valid Fle account, he gets an error message (naturally, since he
doesn't have a webtop, where he's being redirected).
Something should be done - either a clean error message or then the
creation of a user account. This will become a major issue when
external LDAP authentication is used. Ideas?
Petri Savolainen added a follow-up with some interesting ideas.
Follow-up Comments
What exactly does "fle account" comprise of? While seemingly a very
nice, polished product overall, it is true the FLE user management is
a bit annoyingly single-minded currently :-) It seems one cannot even
copy/paste fle users using ZMI, use outside ("above FLE folder") auth
etc.
You're absolutely right in that Fle handles users quite badly and this
has been a known issue for some time. We're planning on implementing
LDAP support to Fle3, but that's still in planning stages. Anyway, we
will either have to use a custom acl_users folder that does LDAP, or
(probably better solution) delegate authentication to a higher level
acl_users folder.
Currently the FLE folder contains both a normal acl_users, as well as
our own custom fle_users folder (which is of class UserManager).
acl_users contains authentication information and fle_users contains
all the other information shown in the user interface. This solution is
a bit awkward, but has worked so far.
How about delegating authentication to whatever auth mechanism is
used "above" FLE and just creating user webtops for authenticated
users as they come in first time?
And this is exactly what we'll need to do and I don't think there are
any major problems with this approach.
(BTW, I have been using Extensible User Folder and it works ok at
least for me. The nice thing is you can very simply add per-user
properties, plug in various forms of external auth etc. Other
alternatives do exist of course as well.)
Completely reworking our users' information into an EUF might be a
solution, but I haven't yet checked that product out. If Petri or
someone else has any experiences on it, I'd like to hear them.
Specifically, can a EUF user contain folders inside it, which other
users also have access to? This is needed for webtops. Alternatively,
webtops can be implemented into another subfolder.
For LDAP (or any external authentication scheme), we need to do
something and apparently we can either liberate acl_users from FLE's
clutch ;) or try to use EUF. For external authentication I preliminary
think that using an independent acl_users folder might be the better
solution and we just implement all the fle specific details and webtops
somewhere else.
--
Tarmo Toikkanen
http://www.iki.fi/tarmo/
Media Lab, UIAH Helsinki
http://www.mlab.uiah.fi
Fle3 learning environment
http://fle3.uiah.fi
- [Fle3-dev] Rethinking Fle3 user accounts,
Tarmo Toikkanen <=