by the way, if the main body of your user records is not in any LDAP group or you don't have any suitable group in LDAP to signify something like "yes, this is a user who can access website XYZ" or "this is an employee" then you can use the "Default user roles" setting on the Properties tab to define a comma-separated list of roles that is assigned to any *successfully authenticated* user. jens On Tuesday, April 2, 2002, at 08:39 , Mitch Pirtle wrote:
On Tue, 2002-04-02 at 15:37, Jens Vagelpohl wrote:
you need to follow your steps 1, 2, 3 and 4, but not 5.
steps 1-3 are self-explanatory. step 4 is needed because zope has no idea what all these role names mean that might be assigned to a user object coming from LDAP. zope has no clue what permissions these roles might have, that's why you need to manually create the role and give it the desired permissions.
you do not need to assign any user to any LDAP group because the user will have roles corresponding to LDAP group names when the user object gets instantiated. so the "connection" between user and role is handled by LDAP itself, provided you configured your LDAPUserFolder correctly.
Whoah there, now you're asking for too much -;^>=
So basically I recreate (within Zope) any LDAP groups that I want to use, but the assignment of users to those groups will still be driven through LDAP. I feel much better now...
Thanks for the quick answer, I was just working on an LDIF export. Talk about timeliness!
--
Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95