[Zope-dev] LDAP and local roles
Florent Guillaume
fg@nuxeo.com
Mon, 6 Aug 2001 21:19:09 +0200
I have a problem which can easily be solved by local roles:
- several workgroups (each one is basically a folder)
- for each workgroup, a list of users who are allowed to do stuff in it
What I do is create a role WorkgroupMember, and in each workgroup assign
a local role of WorkgroupMember to the users who are authorized.
However I'd like all this information about workgroup membership to be
stored in an LDAP directory, where it belongs. Currently I'm a bit
stuck. What I envision would be something akin to LDAPLoginAdapter but
whose effect would be on the local roles of a given folder.
In my LDAP directory, I would have something like:
dn: cn=WorkgroupMember, ou=workgroup1, ou=workgroups, dc=example, dc=com
objectClass: groupOfUniqueNames
uniqueMember: cn=bob, ou=people, dc=example, dc=com
uniqueMember: cn=pete, ou=people, dc=example, dc=com
uniqueMember: cn=joe, ou=people, dc=example, dc=com
And the local roles in the folder would be parametrized by:
groups base DN: ou=workgroups, dc=example, dc=com
groups attribute: ou
local role name attribute: cn
login name attribute: cn
user base DN: ou=people, dc=intercom, dc=gouv, dc=fr
user RDN attribute: cn
(all this can be factored somewhere)
group: workgroup1
Well, that's how I see it. I have three questions:
- is there a better way to do it ?
- has someone done something like that ? Would a LDAPified
Slave User Folder fit the bill ?
(BTW, I should do a separate message about this, but Slave User Folder
and LDAPLoginAdapter don't mix well, as LDAPLoginAdapter.getUsers
returns only *cached* users... It could work if Slave User Folder
only used getUserNames when listing available users)
- If i do it with local roles, where and how would
I plug the machinery to do this ?
I need to replace the RoleManager, but I don't want to re-derive
all classes. I could patch the folder to have a callable
__ac_local_roles__, and I think things would mostly work
(AccessControl.User does the right thing with callable
__ac_local_roles__), but I'm not completely sure, beside
that's ugly.
Thanks,
Florent Guillaume
Nuxeo