On Feb 2, 2005, at 5:05, Tom Trelvik wrote:
Okay, excellent point. But I also don't understand why so many people are using Windows as a *server* for a service that just seems so much better suited for a unix environment (and with so much less overhead), but that's just me.
I keep wondering about the very same thing, trust me ;)
You can use the LDAPUserFolder in read-only mode so it does not try to write back to the directory and store group/role information on the LDAPUserFolder itself. That way the users log in with the same credentials *and* you can manage the roles they get in the Zope context locally. It's just a matter of configuration.
But would that give every user in the LDAP server Zope level access to my server? I'm still trying to figure out how to select which users from the LDAP server will get accounts on my server. Do I add/remove the users manually (or programmatically) through Zope? (Sorry for the newbie questions ...)
In a scenario like this you could only restrict by the following: - where in the DIT you root the search for users - what specific objectClass you search for If all your users are in the same place and all the same object classes then they would all be able to authenticate. But only those who *you* picked out and assigned roles to using the configuration screens would get roles assigned to them during login and be authorized to access stuff, depending on what roles you assign inside Zope and what permissions are assigned to the roles. jens