[Zope] LDAPUserSatellite - Misunderstood usage?

Jens Vagelpohl jens at dataflake.org
Sat Oct 2 14:18:37 EDT 2004


> OK, what I have are locally stored groups.  If these are mapped to
> roles *in the LDAPUserFolder*, then the users in those groups indeed
> gain those roles, but then as I would expect, those mappings apply to
> the whole site, which is a security hole.  But if I enter the mapping
> in an LDAPUserSatellite in a subfolder, the users do not gain the
> roles.  The docs say the mappings augment roles in the context of the
> satellite.  What exactly is that context?

The context is the enclosing folder and folders "underneath".


> Is there a certain ``id`` that the satellite must have in order to be 
> effective?
> Right now, with logging on 9, nothing shows up in the log besides the
> two lines at the end of this message, as if the satellite is being
> bypassed entirely when authentication happens.
>
> Or is there a certain structure that I am not following, i.e. the
> satellite is sitting inside the actual folders for which I want to
> give augmented roles.  Is this the proper setup?

Yes, this is the proper setup. It is important to note that the 
LDAPUserSatellite only works in conjunction with a LDAPUserFolder, the 
link here is the kind of user object emitted by the LDAPUserFolder. 
Only a user object of class LDAPUser has a specialized "allowed" method 
that tries to find and use LDAPUserSatellite objects to augment its 
roles on a per-request basis.

jens



More information about the Zope mailing list