With a little side of applesauce...

Monday, January 29, 2007

Zope Pluggable Auth Service - Adding Users to Groups

There is very little documentation on the Pluggable Auth Service, which has replaced the old-style UserFolders in Zope2.9, so I wanted to write up a how-to on getting PAS acl_user folders to act like UserFolders in both Zope and Plone.

ZOPE PAS:

In zope2.9/plone2.5 the UserFolder has been replaced with PlonePAS. The following image shows the contents of the acl_user folder for a Plone site which was upgraded from plone2.0 to plone2.5:

zope pas directory listing

The important objects for UserFolder like authentication are the “ZODB Role Manager” and “ZODB User Manager” objects. Let’s create a user first:

Add ZODB User Manager:

1. Add a ZODB User Manager object from the drop-down menu, and give it a name. (ie user)

2. Click on the new “user” object.

3. Choose the “Activate” tab from the top menu.

4. Click the checkboxes for “Authentication”, “User_Enumeration”, and “User_Adder”, and click “update”. (This activates the ZODB User Manager object).

Add ZODB Role Manager:

1. Add a ZODB Role Manager object from the drop-down menu, and give it a name. (ie groups)

2. Click on the new “groups” object.

3. Choose the “Activate” tab from the top menu.

4. Click the checkboxes for “Roles”, “Role_Enumeration”, and “Role_Assigner”, and click “update”. (This activates the ZODB Role Manager object).

Add User:

1. Click on “user”.

2. Click on (Add a User).

3. Fill in the User ID, Login name, Password, and Confirm Password fields and click “Add User”.

(NOTE: Make sure that you fill in the Login name field, as this will be set as

the username for the user).

4. Now click on the “acl_user” hyperlink on the breadcrumb trail at the top of the screen, and you should return to the screen that you see above.

Add User To Group:

Next, we want to add our user to the Zope Manager role:

1. Click on “groups”.

2. Click on the “?” under Assignments for the Manager role.

3. Search for the username by using the Principal ID form, which will populate the “Available” users form with usernames matching your search criteria.

4. Highlight the appropriate username in the “Available” form field and click the right arrow to make that username an “Active” member of the Administrators role.

5. Open a new browser, (or close your current browser, (and all browser windows), and try to login to your Plone site with the new user.

PLONEPAS:

In zope2.9/plone2.5 the GRUF has been replaced with PlonePAS. The following image shows the contents of the acl_user folder for a Plone site which was upgraded from plone2.0 to plone2.5:

plone pas directory listing

The important objects for UserFolder like authentication are the “source_groups” and “source_users” objects. Let’s create a user first:

Add User:

1. Click on source_users.

2. Click on (Add a User).

3. Fill in the User ID, Login name, Password, and Confirm Password fields and click “Add User”.

(NOTE: Make sure that you fill in the Login name field, as this will be set as

the username for the user).

4. Now click on the “acl_user” hyperlink on the breadcrumb trail at the top of the screen, and you should return to the screen that you see above.

Add User To Group:

Next, we want to add our user to the Plone Administrators role:

1. Click on source_groups.

2. Click on the “?” under Assignments for the Administrators role.

3. Search for the username by using the Principal ID form, which will populate the “Available” users form with usernames matching your search criteria.

4. Highlight the appropriate username in the “Available” form field and click the right arrow to make that username an “Active” member of the Administrators role.

5. Open a new browser, (or close your current browser, (and all browser windows), and try to login to your Plone site with the new user.

Simple stuff, but a real pain without documentation. I didn’t realize that I needed to search for “Available” users before I could see the usernames in the “Available” form field, so was clicking on “Activate” for every object that I could find… It wasn’t until later that I learned that “Activate” actually activated the authentication plugin, not the user or group itself… :(

No comments: