Hi Jens,
why is that code no longer referring to the real userfolder anymore? it should not make calls to authorize/identify/authorize on "self" but on the LDAPUserFolder it is using as the user source.
self.identify() should be the same as if getLUF().identify() since LDAPUserFolder and LDAPRoleTwiddler both inherited this from BasicUserFolder. self.authenticate() does a self.getUser() which refers to getLUF().getUser() and does twiddling in one step and return the right user-object which the API would expect. I think that self.authorize(user,...) is better than self.getLUF().authorize(user,...) because the authorize does the following in 1st line: def authorize(self, user,... ): (inherited from BasicUserFolder) user = getattr(user, 'aq_base', user).__of__(self) this would be different for self.authorize, where self would be the LRT and self.getLUF().authorize() where self would be the LUF. The user is seen in 2 different contexts by .__of__(self) . Maybe I'm think too complicated, Your opinion ? Regards, Dirk