Olivier Grisel <[EMAIL PROTECTED]> writes:
>
> jacques.champliaud a écrit :
> > Olivier Grisel <ogrisel <at> ...> writes:
> >
> >> Fabrice Robin a écrit :
> >>
> >>> Hi,
> >>>
> >>> You will find in attachment my LDAP setup for members and groups.
> >>> These are the settings for an openldap directory with the use of
> >>> samba and posix schemas.
> >>>
> >>> With these settings, the CPS groups are the system groups used on
> >>> the network.
> >>> Any group created through CPS is created in the ZODB (groups_zodb).
> >> Thanks, I have opened a ticket to add a such a configuration option in
> > CPSLDAPSetup:
> >> http://svn.nuxeo.org/trac/pub/ticket/1648
> >>
> >> Don't have time to do it now, though.
> >
> > I have tried to make CPSLDAPSetup work, my schemas are derived partly from
the
> > bbs-one's schemas ( which I cannot import (at least easily due to a
problem
> > witha <property name="schemas"/> line in some schemas )
>
> You will need CPS trunk or CPS 3.4.1 (that should get released by the end of
the
> week) to have proper multi schema support for the directories.
>
> > In my schemas, objectClass for groups is groupOfUniqueNames
> >
> > Three levels of directories for groups: Meta, stack and ldap
> > Ok it is almost working well :
> > I get the correct groups name list whit security/Manage Local Roles
> >
> > but ...
> > 1)when the mapping in the metadirectory called groups is set to:
> > id in groups_stack : uniqueMember <==> id in groups : members
> > then the members list is correctly displayed in CPS directories view but
> > a userbeing member of a group with corrects rights on a workspace
> > can't view this workspace
> >
> > 2) when the mapping is set to :
> > id in groups_stack : uniqueMember <==> id in groups : dummy
> > then the members list can't be retrieved CPS complains about a
> > missing members key but a user being member of a group with
> > corrects rights on a workspace can view it
> >
> > Any idea to make this work correctly ?
>
> See later.
>
> > I had to copy/paste the groups directory to mycompanygroups
> > and set the mapping to:
> > id in groups_stack : uniqueMember <==> id in mycompanygroups : members
> >
> > This way everything works but the groups membership list.
> >
> > names of members in the mycompanygroups's view are correctly displayed
> > thank's to a external python script called from
> > portal_schemas/groups_ldap/f__uniqueMember Read
> > expression:python:portal.members_list(uniqueMember)
> > members_list being a function accepting a list type argument in the form
> > ['uid=fname1.name1,ou=people,dc=mycomp,dc=fr',
> > 'uid=fname2.name2,ou=people,dc=mycomp,dc=fr']
> > and returning a list in the form
> > ['fname1.name1','fname2.name2']
>
> Beware that read_process_expr are not computed in search mode (searchEntries
> API). That might be related to your problem of having the members of
group get
> the right locaroles.
>
Ok, so I completly removed the field uniqueMember from
portal_schemas/groups_ldap object. A user being member of a group with
corrects rights on a workspace can *still* view this workspace.
This means that CPS can retrieve the membership of a user without
using the groups portal_directories... and as the ldap entry
of a user don't list the groups he belongs to...
I suspect this is due to the python expression :
python:util.dirCrossGetList('groups', 'members', data.get('uid'))
in the Read: expression of portal_schemas/members_ldap/f__cpsGroups
Am I correct ?
But even this way, as the members of a group are listed in the fields
uniqueMember of the ldap groups schema where is the uniqueMember field
mentionned in CPS ?
And how can I use it to limit the groups a member can list
( the Entry Local Roles GroupMember python:entry_id in
getUserEntry().get('groups', []) doesn't work )
Thanks
_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
