[Zope] LDAPUserSatellite - Misunderstood usage?
Jens Vagelpohl
jens at dataflake.org
Sat Oct 2 14:18:37 EDT 2004
> OK, what I have are locally stored groups. If these are mapped to
> roles *in the LDAPUserFolder*, then the users in those groups indeed
> gain those roles, but then as I would expect, those mappings apply to
> the whole site, which is a security hole. But if I enter the mapping
> in an LDAPUserSatellite in a subfolder, the users do not gain the
> roles. The docs say the mappings augment roles in the context of the
> satellite. What exactly is that context?
The context is the enclosing folder and folders "underneath".
> Is there a certain ``id`` that the satellite must have in order to be
> effective?
> Right now, with logging on 9, nothing shows up in the log besides the
> two lines at the end of this message, as if the satellite is being
> bypassed entirely when authentication happens.
>
> Or is there a certain structure that I am not following, i.e. the
> satellite is sitting inside the actual folders for which I want to
> give augmented roles. Is this the proper setup?
Yes, this is the proper setup. It is important to note that the
LDAPUserSatellite only works in conjunction with a LDAPUserFolder, the
link here is the kind of user object emitted by the LDAPUserFolder.
Only a user object of class LDAPUser has a specialized "allowed" method
that tries to find and use LDAPUserSatellite objects to augment its
roles on a per-request basis.
jens
More information about the Zope
mailing list