[Zope-CMF] CMF LDAP use and local role requires FIRST authent ication ?

larry_prikockis@natureserve.org larry_prikockis@natureserve.org
Thu, 11 Apr 2002 13:08:47 -0400


I'm not sure what type of LDAP server you're authenticating against, but
I've basically had the same behavior using a Windows Active Directory
server.  Of course, I've been accessing the LDAP (actually AD via LDAP)
server strictly in a read-only manner.  It seems that if you had permissions
to write to the LDAP directory, you ought to be able to assign roles, etc.

An alternative that I've used is to make use of whatever groups are already
on the LDAP server (this makes a lot of sense for my setup since we already
have an elaborate Active Directory group structure).  Then, you can map
particular local roles to pre-existing groups on the LDAP server, and users
belonging to those groups will be granted the appropriate roles when they
log in.

All that said, I've had various types of quirky authentication behavor using
the latest CMF, CMFLDAP etc, with an apache vhost front end.  But that's
really a whole separate discussion %-)

> -----Original Message-----
> From: Cravoisier Thierry [mailto:thierry.cravoisier@st.com]
> Sent: Thursday, April 11, 2002 12:45 PM
> To: Zope CMF Mailing list
> Subject: [Zope-CMF] CMF LDAP use and local role requires FIRST
> authentication ?
> 
> 
> Hi all,
> 
> I have set up the LDAP and use with CMFLdap, it works fine.
> I want know to search for users on the LDAP and then assign them some
> local roles within the site.
> The search returned value is ALWAYS empty unless the user already
> connected to the site and authenticated correctly.
> 
> Why does it work this way ?
> Why am I not able to define local roles to people before they use the
> system ?
>