[Zope] [HELP] Zope local roles and LDAP Groups

Jens Vagelpohl jens@zope.com
Tue, 2 Apr 2002 08:37:34 -0500


you need to follow your steps 1, 2, 3 and 4, but not 5.

steps 1-3 are self-explanatory. step 4 is needed because zope has no =
idea=20
what all these role names mean that might be assigned to a user object=20=

coming from LDAP. zope has no clue what permissions these roles might =
have,
  that's why you need to manually create the role and give it the =
desired=20
permissions.

you do not need to assign any user to any LDAP group because the user =
will=20
have roles corresponding to LDAP group names when the user object gets=20=

instantiated. so the "connection" between user and role is handled by =
LDAP=20
itself, provided you configured your LDAPUserFolder correctly. you just=20=

need to make sure what you want zope itself to do when it encounters =
those=20
role names on the user object. that does not mean you must create a role =
in=20
zope for all groups a LDAP user is in, just those that you are =
interested=20
in.

jens

On Tuesday, April 2, 2002, at 08:20 , Mitch Pirtle wrote:

> On Tue, 2002-04-02 at 14:46, Jens Vagelpohl wrote:
>>
>> in order to use a role that a user has because his record is in a =
certain
>> group in LDAP (first of all, look at the user object to make sure the =
role
>> is actually assigned!) you need to create a role of the same name in =
zope
>> using the Security tab in a folder or at the root. then you can =
assign all
>> the permissions you want to this role, also on the Security tab. the =
user
>> that has this special role from LDAP will then have those permissions =
in
>> that location and "below".
>
> This is not a complaint, but I gotta grok this before I spend any more
> time thinking about Zope and LDAP:
>
> 1) You create the LDAP schema (including groups and roles)
> 2) Populate slapd with entries
> 3) Point LDAPUserFolder to slapd
> 4) Manually recreate all groups in Zope
> 5) Manually reassign all users to groups in Zope
>
> Ouch.  You know, with 11,000 users that's gonna hurt.  -;^>=3D
>
> Is anybody working on this? Jens? Bueller?
>
> --
>
> Mitch Pirtle
> Corporate Security Officer
> K=FChne & Nagel Management AG
> Tel: +41 1 786 96 45
> Fax: +41 1 786 95 95
>