repoze.who LDAP plugin

Secure Controller not working with ldap demo code

Asked by abhi@littlewiki.in

I used the demo example given with the ldap plugin and then I wrote a simple secure controller like this:

class SecureController(BaseController):

    allow_only = not_anonymous(msg='')

    @expose('json')
    @require(is_a_manager())
    def check(self):
        return 'Inside'

and my predicate is:
class is_a_manager(Predicate):
    message = 'You do not have enough privileges to access this resource'

    def evaluate(self, environ, credentials):
        for (key, value) in request.environ['repoze.who.identity'].items():
            if key == "x-PrivilegeName" and "manage" not in value:
                self.unmet()

Now :

Everytime I navigate to /about, login and then navigate to this url(/secc/check), it returns a login page and the log says:
"2010-04-20 20:25:51,430 Authorization denied: The current user must have been authenticated" but the user has already been authenticated in the first step. This does not happen if I remove the "allow_only = not_anonymous(msg='')" in the secure controller.

Any ideas why ?

Question information

Language:
English Edit question
Status:
Solved
For:
repoze.who LDAP plugin Edit question
Assignee:
Gustavo Narea Edit question
Solved by:
abhi@littlewiki.in
Solved:
Last query:
Last reply:
Revision history for this message
Gustavo Narea (gnarea) said : 		#1

Hello,

That sounds really strange and I cannot reproduce it. :/

What version of repoze.who are you using? repoze.who 2.0 isn't supported yet.

Can you please also post all the relevant output you get in your terminal, starting with the initial/successful authentication?

 - Gustavo.

Revision history for this message
abhi@littlewiki.in (spice.abhi) said : 		#2

Hi,

The demo code wraps the Tg2 middleware with who only and not what. The predicate checks for authorization also and hence it was failing. This is what I did to fix it.

# Configuring the plugins
ldap_auth = LDAPAuthenticatorPlugin('ldap://testing.example.pvt',
'ou=people,dc=example,dc=com')
ldap_attributes = LDAPAttributesPlugin('ldap://testing.example.pvt')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
form = FormPlugin('__do_login', rememberer_name='auth_tkt')
form.classifications = { IIdentifier: ['browser'],
IChallenger: ['browser'] } # only for browser
identifiers = [('form', form),('auth_tkt',auth_tkt)]
authenticators = [('ldap_auth', ldap_auth)]
challengers = [('form',form)]
mdproviders = [('ldap_attributes', ldap_attributes)]

# Using the default repoze.who classifiers:
from repoze.who.classifiers import default_request_classifier, \
default_challenge_decider

def make_app(global_conf, full_stack=True, **app_conf):
    base_app = make_base_app(global_conf, full_stack=True, **app_conf)
    #Wrap your base turbogears app with custom middleware
    app_with_auth = setup_auth(base_app, None, None, # No groups & permissions
                               identifiers=identifiers,
                               authenticators=authenticators,
                               challengers=challengers,
                               mdproviders=mdproviders,
                               classifier=default_request_classifier,
                               challenge_decider=default_challenge_decider,
                               log_level=logging.debug,
                               log_stream=sys.stdout
                               )
    return app_with_auth

After this I was able to use the predicates for my controller. But I am unable to do the same using the who.ini method which I prefer over the programmatic way.

Revision history for this message
abhi@littlewiki.in (spice.abhi) said : 		#3

Closing the question.