OK, what I have are locally stored groups. If these are mapped to roles *in the LDAPUserFolder*, then the users in those groups indeed gain those roles, but then as I would expect, those mappings apply to the whole site, which is a security hole. But if I enter the mapping in an LDAPUserSatellite in a subfolder, the users do not gain the roles. The docs say the mappings augment roles in the context of the satellite. What exactly is that context?
The context is the enclosing folder and folders "underneath".
Is there a certain ``id`` that the satellite must have in order to be effective? Right now, with logging on 9, nothing shows up in the log besides the two lines at the end of this message, as if the satellite is being bypassed entirely when authentication happens.
Or is there a certain structure that I am not following, i.e. the satellite is sitting inside the actual folders for which I want to give augmented roles. Is this the proper setup?
Yes, this is the proper setup. It is important to note that the LDAPUserSatellite only works in conjunction with a LDAPUserFolder, the link here is the kind of user object emitted by the LDAPUserFolder. Only a user object of class LDAPUser has a specialized "allowed" method that tries to find and use LDAPUserSatellite objects to augment its roles on a per-request basis. jens