[Zope] Aquisition, UserFolder and security

Jonathan dev101 at magma.ca
Tue Sep 27 07:45:33 EDT 2005 

Could you create a central user folder (in root) and then create an external 
method which queries all of the LDAP branches and returns the appropriate 
local roles to the central user folder when the user logs in?  This way you 
get a central user folder and can keep all your existing LDAP branches.

Just a thought.

Jonathan


----- Original Message ----- 
From: "bruno modulix" <bruno at modulix.org>
To: "Julien Anguenot" <ja at nuxeo.com>
Cc: <zope at zope.org>
Sent: Tuesday, September 27, 2005 7:23 AM
Subject: Re: [Zope] Aquisition, UserFolder and security


> Julien Anguenot wrote:
>> Hi Bruno,
>
> Hi Julien,
>
>> If you're using a central LDAP for all the instances you can restrict
>> the access from the different instances using either
>> LDAPUserGroupsFolder or CPSUserFolder.
>>
>> Discrimination are done by LDAP branches (users or groups). If you can't
>> control the LDAP and thus the way the branches are designed, for
>> whatever reasons, then you can use CPSUserFolder and set the
>> discrimination on the UF within each instance by setting custom CPS
>> directories (which is what CPSUserFolder uses as proxy for
>> authentication sources).
>>
>> To sum up it's a matter of configuration.
>
> I'm afraid there's more to it than just a matter of configuration, cf
> below...
>
>> We'll be glad to discuss your use case on cps-users list.
>
> I've spent quite some time investigating the
> CPSUserFolder/Metadirectories/Stackingdirectories/backingDirectories...
> solution, and the final word (from Olivier Grisel, cf the cps-users ml)
> was that some code concerning roles and groups management was not yet
> fully implemented, so the whole thing couldn't work without patching and
> merging parts of CPSDirectories - which was a definitive no-no for us.
>
> I don't know if this has been fixed in 3.3.6, but anyway, this part of
> our project is supposed to be already working (and mostly does, except
> for this security problem), and we can't afford to come back on it, as
> it would delay delivery by at least one week - which is also not an
> option. But thanks anyway...
>
> -- 
> Bruno Desthuilliers
> Développeur
> bruno at modulix.org
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>

More information about the Zope mailing list