[HELP] Zope local roles and LDAP Groups
Hello, I use Zope / CMF / LDAPUserFolder for some Intranet sites. But i have a problem with LDAP groups : I have some Groups of users defined in my LDAP annuary ==> Ok I use these LDAP-Groups to define "local roles", in some Folders ==> Ok But it doesn't seem to work : If i define the local role "Manager" for the LDAP-group "Informatique", when a user "flemaitre" (from this group) is authenticated, he doesn't have the permissions that i have given to the group "Informatique" Have someone any idea ? Is there any easy way to use LDAP Groups in Zope ? Thanks in advance. PS : Excuse my english... Fred.
how exactly do you "define the local role "Manager" for the LDAP-group "Informatique""? the steps you have taken are very unclear. in order to use a role that a user has because his record is in a certain group in LDAP (first of all, look at the user object to make sure the role is actually assigned!) you need to create a role of the same name in zope using the Security tab in a folder or at the root. then you can assign all the permissions you want to this role, also on the Security tab. the user that has this special role from LDAP will then have those permissions in that location and "below". jens On Tuesday, April 2, 2002, at 04:16 , Frdric Lemaitre wrote:
Hello,
I use Zope / CMF / LDAPUserFolder for some Intranet sites. But i have a problem with LDAP groups :
I have some Groups of users defined in my LDAP annuary ==> Ok I use these LDAP-Groups to define "local roles", in some Folders ==> Ok
But it doesn't seem to work : If i define the local role "Manager" for the LDAP-group "Informatique", when a user "flemaitre" (from this group) is authenticated, he doesn't have the permissions that i have given to the group "Informatique"
Have someone any idea ? Is there any easy way to use LDAP Groups in Zope ?
Thanks in advance. PS : Excuse my english... Fred.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
On Tue, 2002-04-02 at 14:46, Jens Vagelpohl wrote:
in order to use a role that a user has because his record is in a certain group in LDAP (first of all, look at the user object to make sure the role is actually assigned!) you need to create a role of the same name in zope using the Security tab in a folder or at the root. then you can assign all the permissions you want to this role, also on the Security tab. the user that has this special role from LDAP will then have those permissions in that location and "below".
This is not a complaint, but I gotta grok this before I spend any more time thinking about Zope and LDAP: 1) You create the LDAP schema (including groups and roles) 2) Populate slapd with entries 3) Point LDAPUserFolder to slapd 4) Manually recreate all groups in Zope 5) Manually reassign all users to groups in Zope Ouch. You know, with 11,000 users that's gonna hurt. -;^>= Is anybody working on this? Jens? Bueller? -- Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95
you need to follow your steps 1, 2, 3 and 4, but not 5. steps 1-3 are self-explanatory. step 4 is needed because zope has no idea what all these role names mean that might be assigned to a user object coming from LDAP. zope has no clue what permissions these roles might have, that's why you need to manually create the role and give it the desired permissions. you do not need to assign any user to any LDAP group because the user will have roles corresponding to LDAP group names when the user object gets instantiated. so the "connection" between user and role is handled by LDAP itself, provided you configured your LDAPUserFolder correctly. you just need to make sure what you want zope itself to do when it encounters those role names on the user object. that does not mean you must create a role in zope for all groups a LDAP user is in, just those that you are interested in. jens On Tuesday, April 2, 2002, at 08:20 , Mitch Pirtle wrote:
On Tue, 2002-04-02 at 14:46, Jens Vagelpohl wrote:
in order to use a role that a user has because his record is in a certain group in LDAP (first of all, look at the user object to make sure the role is actually assigned!) you need to create a role of the same name in zope using the Security tab in a folder or at the root. then you can assign all the permissions you want to this role, also on the Security tab. the user that has this special role from LDAP will then have those permissions in that location and "below".
This is not a complaint, but I gotta grok this before I spend any more time thinking about Zope and LDAP:
1) You create the LDAP schema (including groups and roles) 2) Populate slapd with entries 3) Point LDAPUserFolder to slapd 4) Manually recreate all groups in Zope 5) Manually reassign all users to groups in Zope
Ouch. You know, with 11,000 users that's gonna hurt. -;^>=
Is anybody working on this? Jens? Bueller?
--
Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95
On Tue, 2002-04-02 at 15:37, Jens Vagelpohl wrote:
you need to follow your steps 1, 2, 3 and 4, but not 5.
steps 1-3 are self-explanatory. step 4 is needed because zope has no idea what all these role names mean that might be assigned to a user object coming from LDAP. zope has no clue what permissions these roles might have, that's why you need to manually create the role and give it the desired permissions.
you do not need to assign any user to any LDAP group because the user will have roles corresponding to LDAP group names when the user object gets instantiated. so the "connection" between user and role is handled by LDAP itself, provided you configured your LDAPUserFolder correctly.
Whoah there, now you're asking for too much -;^>= So basically I recreate (within Zope) any LDAP groups that I want to use, but the assignment of users to those groups will still be driven through LDAP. I feel much better now... Thanks for the quick answer, I was just working on an LDIF export. Talk about timeliness! -- Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95
by the way, if the main body of your user records is not in any LDAP group or you don't have any suitable group in LDAP to signify something like "yes, this is a user who can access website XYZ" or "this is an employee" then you can use the "Default user roles" setting on the Properties tab to define a comma-separated list of roles that is assigned to any *successfully authenticated* user. jens On Tuesday, April 2, 2002, at 08:39 , Mitch Pirtle wrote:
On Tue, 2002-04-02 at 15:37, Jens Vagelpohl wrote:
you need to follow your steps 1, 2, 3 and 4, but not 5.
steps 1-3 are self-explanatory. step 4 is needed because zope has no idea what all these role names mean that might be assigned to a user object coming from LDAP. zope has no clue what permissions these roles might have, that's why you need to manually create the role and give it the desired permissions.
you do not need to assign any user to any LDAP group because the user will have roles corresponding to LDAP group names when the user object gets instantiated. so the "connection" between user and role is handled by LDAP itself, provided you configured your LDAPUserFolder correctly.
Whoah there, now you're asking for too much -;^>=
So basically I recreate (within Zope) any LDAP groups that I want to use, but the assignment of users to those groups will still be driven through LDAP. I feel much better now...
Thanks for the quick answer, I was just working on an LDIF export. Talk about timeliness!
--
Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95
Jens Vagelpohl writes:
... in order to use a role that a user has because his record is in a certain group in LDAP (first of all, look at the user object to make sure the role is actually assigned!) you need to create a role of the same name in zope using the Security tab in a folder or at the root. then you can assign all the permissions you want to this role, also on the Security tab. the user that has this special role from LDAP will then have those permissions in that location and "below". I have an extension to your LDAPUserFolder which allows mapping from LDAP groups to Zope roles.
If you are interested, I can package the patch and send it to you. Dieter
=?ISO-8859-1?Q?Fr=8Ed=8Eric?= Lemaitre writes:
I use Zope / CMF / LDAPUserFolder for some Intranet sites. But i have a problem with LDAP groups :
I have some Groups of users defined in my LDAP annuary ==> Ok I use these LDAP-Groups to define "local roles", in some Folders ==> Ok
But it doesn't seem to work : If i define the local role "Manager" for the LDAP-group "Informatique", when a user "flemaitre" (from this group) is authenticated, he doesn't have the permissions that i have given to the group "Informatique" You define local roles for individual users not LDAP groups....
Dieter
participants (4)
-
Dieter Maurer -
Frdric Lemaitre -
Jens Vagelpohl -
Mitch Pirtle