[Zope] Aquisition, UserFolder and security

bruno modulix bruno at modulix.org
Tue Sep 27 07:36:26 EDT 2005


Jens Vagelpohl wrote:
> 
> On 27 Sep 2005, at 11:17, bruno modulix wrote:
> 
>>> A normal pattern to use here would be to have one central user folder
>>> (e.g. at the root) and work with local roles in the sub-portals  
>>> instead
>>> of having several user folders.
>>>
>>
>> I know, but I don't think it will possible here (this is an  euphemism).
>> The UserFolder is a LDAPUserGroupsFolder, users data are stored in a
>> LDAP directory, with one branch for each CPS instance, and some user
>> data and schema varying from one branch to another. We don't have the
>> possibility to change this (it's part of a bigger system), and we  don't
>> have the time to rewrite a custom LDAPUserFolder that could accomodate
>> this LDAP schema (this project was already very late when we took  on it
>> and we have a *very* tight deadline - I hate this situation, but I  have
>> to deal with it...). Any robust solution, as hackish as it may be,  will
>> be just fine, as long as we deliver on time.
> 
> 
> No idea what "LDAPUserGroupsFolder" is or what it does, 

It's a modified LDAPUserFolder that supports CPS/CMF groups.

> but for the 
> standard LDAPUserFolder product you would instantiate a 
> LDAPUserSatellite object in the subportals that would be configured  to
> look up LDAP groups in specific DIT branches and convert them to  user
> roles. The "central" user folder would not hand out any roles  itself,
> it's only for authentication purposes in this setup.

Yes, but the problem here is that parts of the *users* schema and data
will vary according to the CPM - it's not just a matter of roles and
perms - would have been to simple :-/

Once again, I'm well aware that some architectural choices here are less
than optimal, but there are strong constraints, very tight deadline, and
we just don't have time to make it right - in fact barely enough time to
make it work at first.

God knows I don't like working that way, but still, I have to deal with
it :(

-- 
Bruno Desthuilliers
Développeur
bruno at modulix.org


More information about the Zope mailing list