[Zope] LDAPUserFolder

[Dirk Datzert]

Hi Jens,

I thought today about group to role mapping and the zope roles
Anonymous and Authenticated.

Am I right that Authenticated will be assigned if an user successfully
validates against the LDAP server ?

Do you think it is possible in LDAPUserFolder / LDAPRoleTwiddler to
assign
Authenticated only if an user is a member of a special LDAP group ?

I came about this point while I develop our intranet with EasyPublisher
which
has the 4 standard zope roles + 2 roles for workflow and content
management:

Anonymous, Authenticated, Manager, Owner + Author & Reviewer

If I want to restrict visitors on a special folder to view only public
material this will be done via standard zope mechanism.

If I want to allow a special group on authenticated users to access
non public material I have a problem:

I want to use standard zope mechanism (like skip_unauthorized).
Authenticated users will get the role Authenticated.
I can't differ between Authenticated users which have the rights
to access the material an Authenticated users which aren't allowed
to view the material.

One qway out would be the definition of a new role, name it 'Viewer'.
But then I have to programm special Role behaviour like
<dtml-if AUTHENTICATED_USER.has_role('Viewer')>
...
</dtml-if>

If I could use the skip_unauthorized feature this would be more general.

A possibility to say in LDAPRoleTwiddler something like:
If not member of LDAP-group x than not role y.

Can you give me your point of view ?

Regards,
Dirk