I took a look at the source and it seems straightforward enough. When I did a little introspection, I found something that might be a problem. I created an external method to report the type of the current user object (needed to be an external method for ``type``), and for both kinds of users, standard (i.e. admin in the default user folder), and authenticated out of LDAP, I got::
<extension class Acquisition.ImplicitAcquirerWrapper at 40796180>
so it appears that the users aren't gaining roles because the ``allowed`` method of LDAPUser isn't getting called.
Could this have something to do with it, or am I way off base?
Python scripts can use something similar to "type", it's called "same_type". Under almost all circumstances the user object you look at *will* be wrapped, so your output just confirms that. In your external method, you could do something like this: from Acquisition import aq_base from AccessControl.SecurityManagement import getSecurityManager ... and then look at the type of user... user_type = type(getSecurityManager().getUser()) (untested and from memory) jens