[Fle3-dev] Rethinking Fle3 user accounts

[Tarmo Toikkanen]

The following is quoted from bug #386, which I posted a few days ago:

> When a valid Zope user tries to enter Fle3, but he doesn't have a 
> valid Fle account, he gets an error message (naturally, since he 
> doesn't have a webtop, where he's being redirected).
>
> Something should be done - either a clean error message or then the 
> creation of a user account. This will become a major issue when 
> external LDAP authentication is used. Ideas?

Petri Savolainen added a follow-up with some interesting ideas.

> Follow-up Comments
>
> What exactly does "fle account" comprise of? While seemingly a very 
> nice, polished product overall, it is true the FLE user management is 
> a bit annoyingly single-minded currently :-) It seems one cannot even 
> copy/paste fle users using ZMI, use outside ("above FLE folder") auth 
> etc.

You're absolutely right in that Fle handles users quite badly and this 
has been a known issue for some time. We're planning on implementing 
LDAP support to Fle3, but that's still in planning stages. Anyway, we 
will either have to use a custom acl_users folder that does LDAP, or 
(probably better solution) delegate authentication to a higher level 
acl_users folder.

Currently the FLE folder contains both a normal acl_users, as well as 
our own custom fle_users folder (which is of class UserManager). 
acl_users contains authentication information and fle_users contains 
all the other information shown in the user interface. This solution is 
a bit awkward, but has worked so far.

> How about delegating authentication to whatever auth mechanism is 
> used "above" FLE and just creating user webtops for authenticated 
> users as they come in first time?

And this is exactly what we'll need to do and I don't think there are 
any major problems with this approach.

> (BTW, I have been using Extensible User Folder and it works ok at 
> least for me. The nice thing is you can very simply add per-user 
> properties, plug in various forms of external auth etc. Other 
> alternatives do exist of course as well.)

Completely reworking our users' information into an EUF might be a 
solution, but I haven't yet checked that product out. If Petri or 
someone else has any experiences on it, I'd like to hear them. 
Specifically, can a EUF user contain folders inside it, which other 
users also have access to? This is needed for webtops. Alternatively, 
webtops can be implemented into another subfolder.

For LDAP (or any external authentication scheme), we need to do 
something and apparently we can either liberate acl_users from FLE's 
clutch ;) or try to use EUF. For external authentication I preliminary 
think that using an independent acl_users folder might be the better 
solution and we just implement all the fle specific details and webtops 
somewhere else.

--
Tarmo Toikkanen
http://www.iki.fi/tarmo/
Media Lab, UIAH Helsinki
http://www.mlab.uiah.fi
Fle3 learning environment
http://fle3.uiah.fi