[Zope-CMF] CMF LDAP use and local role requires FIRST authent ication ?

Jens Vagelpohl jens@zope.com
Thu, 11 Apr 2002 14:16:14 -0400

micro$haft "active directory" is not really supported by the 
LDAPUserFolder. if it works for people - great. but due to the fact that i 
don't use any windoze server software or have any way to test against it i 
cannot accept bug reports where "active directory" is in use.

one of the reasons i don't really make any effort to work with it is the 
notorious lack of adherence to standards that most server software from M$ 
shows. it would be way too much effort (keep in mind that it's all done in 
my spare time) to program around every special and quirky behavior AD 
might show now or in the future.


On Thursday, April 11, 2002, at 01:08 , larry_prikockis@natureserve.org 

> I'm not sure what type of LDAP server you're authenticating against, but
> I've basically had the same behavior using a Windows Active Directory
> server.  Of course, I've been accessing the LDAP (actually AD via LDAP)
> server strictly in a read-only manner.  It seems that if you had 
> permissions
> to write to the LDAP directory, you ought to be able to assign roles, etc.
> An alternative that I've used is to make use of whatever groups are 
> already
> on the LDAP server (this makes a lot of sense for my setup since we 
> already
> have an elaborate Active Directory group structure).  Then, you can map
> particular local roles to pre-existing groups on the LDAP server, and 
> users
> belonging to those groups will be granted the appropriate roles when they
> log in.
> All that said, I've had various types of quirky authentication behavor 
> using
> the latest CMF, CMFLDAP etc, with an apache vhost front end.  But that's
> really a whole separate discussion %-)