[Zope-dev] LDAP and local roles

Florent Guillaume fg@nuxeo.com
Mon, 6 Aug 2001 21:19:09 +0200 

I have a problem which can easily be solved by local roles:

 - several workgroups (each one is basically a folder)

 - for each workgroup, a list of users who are allowed to do stuff in it

What I do is create a role WorkgroupMember, and in each workgroup assign
a local role of WorkgroupMember to the users who are authorized.


However I'd like all this information about workgroup membership to be
stored in an LDAP directory, where it belongs. Currently I'm a bit
stuck. What I envision would be something akin to LDAPLoginAdapter but
whose effect would be on the local roles of a given folder.

In my LDAP directory, I would have something like:

dn: cn=WorkgroupMember, ou=workgroup1, ou=workgroups, dc=example, dc=com
objectClass: groupOfUniqueNames
uniqueMember: cn=bob, ou=people, dc=example, dc=com
uniqueMember: cn=pete, ou=people, dc=example, dc=com
uniqueMember: cn=joe, ou=people, dc=example, dc=com

And the local roles in the folder would be parametrized by:
   groups base DN: ou=workgroups, dc=example, dc=com
   groups attribute: ou
   local role name attribute: cn
   login name attribute: cn
   user base DN: ou=people, dc=intercom, dc=gouv, dc=fr
   user RDN attribute: cn
   (all this can be factored somewhere)
   group: workgroup1

Well, that's how I see it. I have three questions:

 - is there a better way to do it ?

 - has someone done something like that ? Would a LDAPified
   Slave User Folder fit the bill ?

    (BTW, I should do a separate message about this, but Slave User Folder
    and LDAPLoginAdapter don't mix well, as LDAPLoginAdapter.getUsers
    returns only *cached* users... It could work if Slave User Folder 
    only used getUserNames when listing available users)

 - If i do it with local roles, where and how would
   I plug the machinery to do this ?
   I need to replace the RoleManager, but I don't want to re-derive
   all classes. I could patch the folder to have a callable
   __ac_local_roles__, and I think things would mostly work
   (AccessControl.User does the right thing with callable
   __ac_local_roles__), but I'm not completely sure, beside
   that's ugly.

Thanks,


Florent Guillaume
Nuxeo