In article <3D33B35D.18DBD26D@nipltd.com> you write:
If I replace the root userfolder of a ZODB with an LDAP User Folder, will I still be able to grant local roles to users defined in that user folder in certain parts of the tree?
Sure, why not? It's just a User Folder.
The idea here is that in a CMS, you want some people to only be able to maintain content in certain areas of the site. Am I correct in assuming that the 'official' way of doing this in Zope is to give those users an anonymous role at the root of the ZODB and then give them local roles appropriate to a content maintainer in the folders where they're allowed to maintain content?
If so, how would one go about giving a group of people that content maintaining role in an area of a site? Hmmm, I guess if I could grant a 'role' the local role in those areas then I could get what I'm after.
Yes. Have a "ContentMaintainer" role which you give to your users only locally.
Would NuxUSerGroups help in this area at all?
It depends, see the use cases on its page. If you have a simple setup like described above they're probably not needed.
Do they work with LDAPUserFolder?
No, LDAPUserFolder is not aware of groups. Makina-Corpus however did a patch for an older version of LDAPUserFolder, which I still haven't gotten around to updating and integrating in the NuxUserGroups distribution. see http://www.makinacorpus.org/index.php/zope/ldapusergroups Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com