On Tue, 2002-04-02 at 15:37, Jens Vagelpohl wrote:
you need to follow your steps 1, 2, 3 and 4, but not 5.
steps 1-3 are self-explanatory. step 4 is needed because zope has no idea what all these role names mean that might be assigned to a user object coming from LDAP. zope has no clue what permissions these roles might have, that's why you need to manually create the role and give it the desired permissions.
you do not need to assign any user to any LDAP group because the user will have roles corresponding to LDAP group names when the user object gets instantiated. so the "connection" between user and role is handled by LDAP itself, provided you configured your LDAPUserFolder correctly.
Whoah there, now you're asking for too much -;^>= So basically I recreate (within Zope) any LDAP groups that I want to use, but the assignment of users to those groups will still be driven through LDAP. I feel much better now... Thanks for the quick answer, I was just working on an LDIF export. Talk about timeliness! -- Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95