[Gsoc-students] Non-AT membrane, a new authentication scheme and ldap

Florian Friesdorf flow at mytum.de
Mon Mar 31 22:45:21 UTC 2008

As the deadline got postponed, there would be time for major changes before
submitting. Any feedback greatly welcome.


Plone's built-in authentication system uses source_users and source_groups inside
the PlonePAS_ acl_users folder to store special user and group objects and
portal_memberdata and portal_groupdata for their properties. They are not
regular plone content.

.. _PlonePAS: http://plone.org/products/plonepas


Membrane_ is a set of PAS plugins and adapters that enable archetype content
objects as sources for users, groups and their properties. The objects may
reside anywhere inside the plone instance, they may undergo workflow and
whatever else that can be done with plone's content. There is no need anymore to
treat user/group objects special, they can be developed and handled like every
other content. For more on this, see membrane's manifesto_.

There are two authentication schemes publicly available, that use membrane:
remember_ models Plone's builtin scheme, but uses archetype content for storing
users and groups; b-org_ introduced a new scheme with employees as users and
departements as groups and containers for employees.

.. _membrane: http://plone.org/products/membrane
.. _manifesto: http://svn.plone.org/svn/collective/membrane/trunk/doc/MANIFESTO.txt
.. _remember: http://plone.org/products/remember
.. _b-org: http://plone.org/products/borg


PloneLDAP_ is state of the art for ldap integration. It provides a set of PAS
plugins that allow to integrate and manage users and groups in an ldap

.. _PloneLDAP: http://plone.org/products/ploneldap


- no group in group

- only ldap users may be members of ldap groups

- LDAPMultiPlugins and LDAPUserFolder are needed to access the ldap directory


- Plone currently does not support non-AT content as sources of users and
  groups but only archetype content.

- Content-based user management is difficult to combine with LDAP authentication
  let alone management and definitely impossible for end-users.

- ldap integration is limited to users and groups, a lot more may be stored
  inside of ldap, e.g. email aliases or address books.

- connection with multiple ldap servers is not supported properly and most
  likely results in name collisions


- a successor to membrane which is based on pure zope3 only, i.e. no archetypes

- a set of content types that reflect ldap's understanding of users and groups

- a system that allows end-users to connect plone with multiple ldap
  authentication sources and enables plone as administrative front-end for ldap
  directories in general, i.e. PloneUI not ZMI.

Targeted System

The targeted system consists of 3 parts:

- z3membrane, translating plain zope3 content for PlonePAS

- a set of content types that are compatible with ldap's understanding of users
  and groups, but may be used without ldap.

- ldap synchronization handlers

z3membrane will provide interfaces for users and groups:

- IUser,

- IGroup,

marker interfaces, that indicate that some content can be adapted to IUser,
resp. IGroup:

- IUserAdaptable,

- IGroupAdaptable,

and a set of adapters that translate these for PlonePAS. portal_catalog will be
investigated as a means of keeping track of authentication related content
objects. This is also the place for caching and everything which is needed to
keep the interfaces for actual user and group content simple and easy to
implement by everybody.

The name z3membrane is a first shot - suggestions welcome.

Set of content types
A set of content types that are compatible with ldap's understanding of users
and groups is to be created. These will be based on basic types from
plone.app.form. However, they will not be dependant on it, but are meant to be
easily factored out for plain zope applications. Further, they are meant to be
generic enough to survive into a post-PAS era.

- Realm: A realm or domain represents a namespace for users and groups defined
  inside of it.

- User folder: A realm contains a user folder, which holds its user objects.

- Group folder: A realm contains a group folder, which holds its group objects.

- User: A user object represents a user and holds all data of the user, at least
  the one stored inside of plone.

- Group: A group object represents a group and holds all data of the group, at
  least the one stored inside of plone. Groups as well as users from any realm
  may be members of a group.

Each object may be enabled/disabled for authentication within the current plone
site. Adapters may be used to translate from object names inside of the realm to
Plone names, e.g. user adam in realm zittel might become adam at zittel or user-adam at zittel.

LDAP synchronization

ldap objects are described by objectClasses, which are defined in ldap schemas.
zope objects are described by interfaces.
For each content type listed above, an adapter will be provided to translate
to/from a corresponding ldap object, e.g.:

- realm: foo.bar -> dc=foo,dc=bar

- user folder: -> ou=people,dc=foo,dc=bar

Groups will be translated to groupOfNames-style ldap groups, as they support
group-in-groups; posixGroups may be supported by additional adapters.
Default ldap schemas will be used as far as possible and sane, new ldap schemas
will be creates as necessary. Propagation of changes to ldap may be toggled per
object/folder/realm. The data stored inside Plone will always be taken as
up-to-date. Changes from ldap need to be pulled manually, e.g. by an update

Possible future work

Future work that is outside the scope of this project:

- merge current membrane with z3membrane, e.g. as an adapter for archetype content

- support pushing changes from ldap to plone, e.g. by listening on a socket and
  using slurpd and openldap's shell backend.

- More versatile sync modes

- support for posixGroups

- Adoption of the synchronization scheme for further external
  (non-authentication) sources

About Me

- >10 years linux system administration (openldap for mailing and
  authentication), as freelancer and voluntary in student union

- 5 years plone: usage, installation, maintenance, some archetypes development.

- 4 years python coding

- participated in Rocky's Zope 3 Training and Naples sprint (getpaid) and 
  read Philipp's and Martin's books, understood what I read and liked a lot what
  I learned, above all: the component-registry and test-driven development
- unsatisfied with plone's ldap integration ever since and given the "how it
  could/should be" a lot of thought.

- read the source of membrane, b-org, PAS, PlonePAS and PloneLDAP: my project
  seems to be needed and seems to be the next logical step

- graduated in May 2007, Dipl.-Ing. Electronic Engineering, Munich University of
  Technology (TUM), diploma thesis: development and deployment methodology for
  workflow management in complex work environments centered around Plone, soon
  to be published in *Journal of Human Factors and Ergonomics in Manufacturing*

- started doctoral thesis right afterwards at institute of ergonomics (TUM):
  Methodology for system-ergonomic design and development of cognitive
  assistance for complex work environments, still centered around plone.
  Easy and flexible user management and integration of plone into heterogenous IT
  environments are key points.

- enthusiastic, motivated, skilled
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.plone.org/pipermail/plone-gsoc-students/attachments/20080401/5d2f43c2/attachment.asc>

More information about the GSOC-Students mailing list