I'm not able to tell entirely from your verbal description, but are you saying that you've added an attribute to your users so that each user record contains the list of groups to which it belongs, and that attribute is 'ou'? This seems odd, not to mention confusing in that 'ou', an organizational unit, is typically structural and holds other entries, you certainly could have picked a better name for this. I don't do that, the people who set-up the ldap did it. I don't know either why.
This alone isn't enough for LDAPUserFolder to map groups to (assuming that I understand LDAPUserFolder and your description properly). In fact, it will merely see this as an additional attribute for your user records Actually with the patch I did it maps the groups correctly, but it's not an standard way.
Login Name Attribute: uid RDN Attribute: uid Users Base DN: ou=grp1,ou=grp2,ou=grp3,ou=grp4,o=org,c=country Scope: SUBTREE Group storage: Groups stored on LDAP server Groups Base DN: cn=foo_account,ou=admins,ou=grp3,ou=grp4,o=org,c=country Password: xxxxxx Manager DN Usage: Always Read-only checked User password encryption: SSHA Default User Roles: LDAP=Anonymous
Your "Groups Base DN" goes one level too low. You need to point to a structural entry which contains your group entries. The groups themselves must be something like groupOfUniqueNames, and must have individual attribute values for uniqueMember for every member of that group.
LDAPUserFolder covers this in the README and comes with some simple LDIF examples that illustrate this.
2) Group mapping on the LDAPUserFolder's "groups" Tab: "foo_group" maps to zope role "Manager"
Once you point the "Groups Base DN" to the (or a) parent element of cn=foo_group, and cn=foo_group is of objectClass 'groupOfUniqueNames', and your user is listed as a 'uniqueMember', *then* this will work properly and user 'my_login_name' will have the 'Manager' role. Actually with that "Groups base DN" and deleting the "ou" attribute, I can see every group when doing a search from the manage interface, but when a user authentificates itself, it can get the groups to which he belongs to. Anyway, I will check what you said.
Hope I've followed your description correctly, and I hope this helps...LDAPUserFolder (and pal, LDAPUserSatellite) have made authentication in our Zope setup a pleasure to work with.
Yes, you understood perffectly my bad english :-) Thanks, Josef _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
participants (1)
-
Josef Albert Meile