Could you create a central user folder (in root) and then create an external method which queries all of the LDAP branches and returns the appropriate local roles to the central user folder when the user logs in? This way you get a central user folder and can keep all your existing LDAP branches. Just a thought. Jonathan ----- Original Message ----- From: "bruno modulix" <bruno@modulix.org> To: "Julien Anguenot" <ja@nuxeo.com> Cc: <zope@zope.org> Sent: Tuesday, September 27, 2005 7:23 AM Subject: Re: [Zope] Aquisition, UserFolder and security
Julien Anguenot wrote:
Hi Bruno,
Hi Julien,
If you're using a central LDAP for all the instances you can restrict the access from the different instances using either LDAPUserGroupsFolder or CPSUserFolder.
Discrimination are done by LDAP branches (users or groups). If you can't control the LDAP and thus the way the branches are designed, for whatever reasons, then you can use CPSUserFolder and set the discrimination on the UF within each instance by setting custom CPS directories (which is what CPSUserFolder uses as proxy for authentication sources).
To sum up it's a matter of configuration.
I'm afraid there's more to it than just a matter of configuration, cf below...
We'll be glad to discuss your use case on cps-users list.
I've spent quite some time investigating the CPSUserFolder/Metadirectories/Stackingdirectories/backingDirectories... solution, and the final word (from Olivier Grisel, cf the cps-users ml) was that some code concerning roles and groups management was not yet fully implemented, so the whole thing couldn't work without patching and merging parts of CPSDirectories - which was a definitive no-no for us.
I don't know if this has been fixed in 3.3.6, but anyway, this part of our project is supposed to be already working (and mostly does, except for this security problem), and we can't afford to come back on it, as it would delay delivery by at least one week - which is also not an option. But thanks anyway...
-- Bruno Desthuilliers Développeur bruno@modulix.org _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )