[Zope] ldap user folder authentication prob

Jens Vagelpohl jens@zope.com
Fri, 23 Nov 2001 18:57:58 -0500


just as a follow-up to the "INAPPROPRIATE_AUTH" message you saw, since i 
never saw that error message before i looked it up and the docs say::

"""
Anappropriate authentication was specified(e.g.LDAP_AUTH_SIMPLE was 
specified and the entry does not have a userPassword attribute
"""

to me this sounds like

- there is indeed a record with that user name
- the record does not have a userPassword attribute.

very strange. are you 100% sure there isn't some account in LDAP with that 
name, maybe even some hidden system account?

apart from that i cannot reproduce your problem. i did the following:

- create a subfolder on a site
- instantiated a LDAPUserFolder in it
- at the site root (in a standard zope user folder) i added a user with 
"Manager" role that has a user name definitely not found in LDAP

when i log in as that test user i can do anything i want, outside as well 
as inside the folder protected by the LDAPUserFolder. when i crank up 
logging to the highest level inside the LDAPUserFolder it keeps telling me 
"User not found", but that's the expected behavior. Like any other user 
folder it will then simply return "None", which prompts the zope security 
machinery to go up the tree looking at the next user folder it finds and 
trying again.

as far as the roles go, you should do one of two things:

- either create groups on the Groups tab that have the same names as 
meaningful roles in Zope and then adding your user record to the group

- or re-use the groups already in LDAP by creating a role with that same 
name at the root of your zope site and giving it any desired permission.

jens


On Thursday, November 22, 2001, at 08:34 , Jonathan Cheyne wrote:

>> jonathan,
>
>> it's trying to look up a user with account name "root"? is there such an
>> account name in your zope instance
>
> Yes - in the root folder is the default install acl folder with a 'root'
> user (an admin user for the whole zope instance). Then there is a zwiki
> folder and in there the ldapuserfolder. There are no other users in the
> instance apart from root and whatever is returned from ldap. the ldap 
> server
> runs authentication for the intranet, some website functions etc and 
> works.
> I can authenticate ok for our iplanet servers.
>
> I created a new user in the top level regular acl folder called admin. No
> such user exists in ldap. I gave the admin user a Manager role. I can
> administer the zope instance EXCEPT for the wiki containing 
> ldapuserfolder.
> If I try to view this folder I get
>
> Error Type: INAPPROPRIATE_AUTH
> Error Value: {'desc': 'Inappropriate authentication'}
>
> This message also appears even if I try to /view/ the wiki when logged in 
> as
> admin. Log back in as jonathan and all is fine. To test if this was 
> because
> the admin uid might not be in ldap and that a partial lookup was occuring
> for all other id's I added a user "doodah" and yet this worked ok (in so 
> far
> that it dod not produce that error). This means that only the admin user
> creates that prob.
>
> (Is there a protected user admin within zope as a whole maybe?)
>
> Maybe this comes down to your roles question which I am not completely
> following. I do a look up on a user (say me, jon) and do not get anything
> saying roles just cn, dn, uid plus a long list of check boxes for groups
> (hat we use for authentication things). Is this what you mean? In the
> configure screen there as the box saying default user role - I changed 
> this
> to Authenticated but no diff.
>
> Do I need to map one of our groups to a zope role?
>
> Cheers
>
> Jonathan
>
>
>
>