[Zope] [HELP] Zope local roles and LDAP Groups

Jens Vagelpohl jens@zope.com
Tue, 2 Apr 2002 09:02:23 -0500


by the way, if the main body of your user records is not in any LDAP =
group=20
or you don't have any suitable group in LDAP to signify something like =
"yes,
  this is a user who can access website XYZ" or "this is an employee" =
then=20
you can use the "Default user roles" setting on the Properties tab to=20
define a comma-separated list of roles that is assigned to any=20
*successfully authenticated* user.

jens


On Tuesday, April 2, 2002, at 08:39 , Mitch Pirtle wrote:

> On Tue, 2002-04-02 at 15:37, Jens Vagelpohl wrote:
>> you need to follow your steps 1, 2, 3 and 4, but not 5.
>>
>> steps 1-3 are self-explanatory. step 4 is needed because zope has no =
idea
>> what all these role names mean that might be assigned to a user =
object
>> coming from LDAP. zope has no clue what permissions these roles might=20=

>> have,
>>   that's why you need to manually create the role and give it the =
desired
>> permissions.
>>
>> you do not need to assign any user to any LDAP group because the user =
will
>> have roles corresponding to LDAP group names when the user object =
gets
>> instantiated. so the "connection" between user and role is handled by =
LDAP
>> itself, provided you configured your LDAPUserFolder correctly.
>
> Whoah there, now you're asking for too much -;^>=3D
>
> So basically I recreate (within Zope) any LDAP groups that I want to
> use, but the assignment of users to those groups will still be driven
> through LDAP.  I feel much better now...
>
> Thanks for the quick answer, I was just working on an LDIF export.  =
Talk
> about timeliness!
>
> --
>
> Mitch Pirtle
> Corporate Security Officer
> K=FChne & Nagel Management AG
> Tel: +41 1 786 96 45
> Fax: +41 1 786 95 95
>