you need to follow your steps 1, 2, 3 and 4, but not 5. steps 1-3 are self-explanatory. step 4 is needed because zope has no idea what all these role names mean that might be assigned to a user object coming from LDAP. zope has no clue what permissions these roles might have, that's why you need to manually create the role and give it the desired permissions. you do not need to assign any user to any LDAP group because the user will have roles corresponding to LDAP group names when the user object gets instantiated. so the "connection" between user and role is handled by LDAP itself, provided you configured your LDAPUserFolder correctly. you just need to make sure what you want zope itself to do when it encounters those role names on the user object. that does not mean you must create a role in zope for all groups a LDAP user is in, just those that you are interested in. jens On Tuesday, April 2, 2002, at 08:20 , Mitch Pirtle wrote:
On Tue, 2002-04-02 at 14:46, Jens Vagelpohl wrote:
in order to use a role that a user has because his record is in a certain group in LDAP (first of all, look at the user object to make sure the role is actually assigned!) you need to create a role of the same name in zope using the Security tab in a folder or at the root. then you can assign all the permissions you want to this role, also on the Security tab. the user that has this special role from LDAP will then have those permissions in that location and "below".
This is not a complaint, but I gotta grok this before I spend any more time thinking about Zope and LDAP:
1) You create the LDAP schema (including groups and roles) 2) Populate slapd with entries 3) Point LDAPUserFolder to slapd 4) Manually recreate all groups in Zope 5) Manually reassign all users to groups in Zope
Ouch. You know, with 11,000 users that's gonna hurt. -;^>=
Is anybody working on this? Jens? Bueller?
--
Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95