Hi, I just found that the group mapping isn't working for our LDAP. I tried with the LDAPUserFolder 2.4beta2 and CookieCrumbler 1-1. I could authentificate myself against the LDAP, search some users, and I could also see the groups, but the group mapping (on the groups tab) didn't work. This is what I have: 1) We have an extra attribute for the LDAP Schema: LDAP Attribute Name: ou Friendly Name: group Multi-valued: Yes This attribute gives us a list of groups to which a user belongs to. The rest configuration for the LDAP is quite normal: Login Name Attribute: uid RDN Attribute: uid Users Base DN: ou=grp1,ou=grp2,ou=grp3,ou=grp4,o=org,c=country Scope: SUBTREE Group storage: Groups stored on LDAP server Groups Base DN: cn=foo_account,ou=admins,ou=grp3,ou=grp4,o=org,c=country Password: xxxxxx Manager DN Usage: Always Read-only checked User password encryption: SSHA Default User Roles: LDAP=Anonymous LDAP Servers: my_ldap.mydomain.com, port: 636, LDAP over SSL 2) Group mapping on the LDAPUserFolder's "groups" Tab: "foo_group" maps to zope role "Manager" 3) Tried the following PageTemplate to authenticate my self on the LDAP (it prints the roles I have over the request): User: <p tal:replace="python:user.getUserName()"></p><br> Roles: <p tal:replace="python:user.getRolesInContext(here)"></p><br> <p tal:condition="python:user.getUserName()=='Anonymous User'"> you aren't logged in </p> <span tal:condition="python:user.getUserName()=='Anonymous User'"> <span tal:condition="python:request.has_key('firstTime')"> <h1>Login error</h1> <br><br> This user name isn't valid.<br> Perhaps your browser doesn't has cookies enabled. <br><br> </span> <span tal:condition="python:not request.has_key('firstTime')"> <h1> For the following pages you need to login. </h1> </span> <table> <tr> <td> <form method="post" name="loginForm" action="some_url" tal:attributes="action python:request.URL0"> <input type="hidden" name="firstTime" value="0"> <table cellspacing="10"> <tr> <td align="left" valign="top" width="170"> <font face="verdana"><strong>login:</strong></font> </td> <td align="left" valign="top"> <input type="TEXT" name="__ac_name" size="20" class="text" value="" tal:attributes="value python:request.get('__ac_name','')"> </td> </tr> <tr> <td align="left" valign="top"> <font face="verdana"><strong>password:</strong></font> </td> <td align="left" valign="top"> <input type="PASSWORD" name="__ac_password" size="20" class="text"> </td> </tr> <tr> <td align="right" colspan="2"> <input type="submit" value=" Login " class="button"> </td> </tr> </table> </form> </td> <td> <p> Login problems?<br> Perhaps your browser has cookies disabled </p> </td> </tr> </table> </span> I can authenticate myself against the LDAP, but What I get when printing the roles is: User: my_login_name Roles: ['Anonymous', 'Authenticated'] "my_login_name" belongs the foo_group and other groups as well, but It doesn't get the 'Manager' role as expected. Then, I found that line 333 of LDAPUserFolder.py (method _lookupuserbyattr): groups = list(self.getGroups(dn=dn, attr='cn', pwd=user_pwd)) doesn't return any group for this user, so, I replaced it for: groups = user_attrs.get('ou',None) if groups==None: groups = list(self.getGroups(dn=dn, attr='cn', pwd=user_pwd)) and now it works. I think this is possible on our case because of the additional "ou" attribute, but would it work on other configurations? Is this only happening to me, or is it a bug? Regards, Josef