On Tue, Aug 13, 2002 at 10:07:22AM -0400, Jens Vagelpohl wrote:
from looking at the code inside _lookupuser, the following seems to happen:
- the user record is indeed found
- in the next step, when the full record is retrieved ***while binding as that very same user that is being looked up*** the lookup fails.
the user record lookup is done in two steps. first, the given login name is looked up to see if a matching record exists at all. this lookup will, if the record exists, return the full DN for the record. it is done while bound as the manager user. in the second step the authentication credentials are switched to the full DN just found and the password that was provided by the user. this is to make sure that access restrictions put in place by the LDAP admins are not overridden and the user can only see what they are supposed to see. then, under these new credentials, all attributes are looked up inside the record identified by the full user DN. the results of this second search are used to assemble the user object zope needs.
i have a suspicion that your LDAP server access control is wrong. try to replace the line in your slapd.conf that says...
access to * by anonymous write
with...
access to * by * write
i have a feeling with your existing rule only anonymous users end up having any access rights.
in your first email you say that you are not very knowledgeable about LDAP. IMHO that is a real problem when you are trying to work with a product that assumes at least some knowledge about LDAP, such as the LDAPUserFolder. i have said it before and i will say it again: working with directory servers is harder than many people think. you must gain adequate knowledge of LDAP and the LDAP tree structure to work this product successfully.
jens
Thanks, Jens, this works. I really appreciate your sticking with my problem. BTW, I did say that I wasn't very knowledgeable about LDAP -- but for some value of "very knowledgable" :) . I have setup and administered an LDAP server before; just never had any reason to go very deep into the security settings. Working with directory servers *is* harder than people think; mostly, I think, because there isn't a lot of decent walkthroughs for how to use LDAP in a small/medium-scale setting. Let's hope that changes. - J. -- Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton Independent Knowledge Management Consultant