[Zope] LDAPUserSatellite - Misunderstood usage?

Chris Connett chrisconnett at gmail.com
Fri Oct 1 19:52:50 EDT 2004


On Fri, 1 Oct 2004 23:06:24 +0100, Jens Vagelpohl <jens at dataflake.org> wrote:
> >  When I map
> > a group to a role in the LDAPUserFolder itself, the users in the group
> > get that role for the whole site.  My understanding from the docs I
> > have found is that if I create a satellite in a subfolder, then I can
> > map groups to roles there, and then those mappings will be in effect
> > for that subfolder.  This does not seem to be working.
> >
> > Does anyone know what I might be doing wrong, or where my
> > understanding might be flawed?
> 
> The LDAPUserSatellite augments roles. This is done either by mapping
> roles that already exist on the user to new roles, or by looking up
> additional group memberships (which are translated to roles) in an LDAP
> tree branch you specify in its configuration.
> 
> jens

OK, what I have are locally stored groups.  If these are mapped to
roles *in the LDAPUserFolder*, then the users in those groups indeed
gain those roles, but then as I would expect, those mappings apply to
the whole site, which is a security hole.  But if I enter the mapping
in an LDAPUserSatellite in a subfolder, the users do not gain the
roles.  The docs say the mappings augment roles in the context of the
satellite.  What exactly is that context?

Is there a certain ``id`` that the satellite must have in order to be effective?
Right now, with logging on 9, nothing shows up in the log besides the
two lines at the end of this message, as if the satellite is being
bypassed entirely when authentication happens.

Or is there a certain structure that I am not following, i.e. the
satellite is sitting inside the actual folders for which I want to
give augmented roles.  Is this the proper setup?

------Log------
(3) Oct 01 19:40:45: Re-initialized through __setstate__
(0) Oct 01 19:40:45: Log buffer cleared
------End Log------
-- 
Chris Connett


More information about the Zope mailing list