I had a similar problem, but not in an LDAP instance. My Zope root user was 'aaaa' and had created Plone content. The byline displayed 'aaaaxxxx' based on another Plone user. When I removed this user, I saw 'aaaayy,' yet another Plone user. I concluded that I should not be creating content as a Zope root user.
In your case, (Zope) admin is a substring of (Plone) ADTadmin, so this may be the same issue. Dan Gregory Hnatiuk wrote: > > Hello, > > I've run into an issue using PloneLDAP with Plone 2.5.4 that's > leaving me scratching my head. I was hoping someone might be able to > direct me to a solution or at least maybe an explanation. It could > very easily be a problem with our configuration and setup, or a > limitation of PAS, but I'm really at a loss. > > It appears that the PloneLDAP ActiveDirectory PAS plugin is > (rather wildly) squashing zope users from an enumeration standpoint, > specifically when it comes to the display logic for local roles on the > Sharing tab of any plone content. > > We have a zope administrator called 'admin' who happens to own a > number of objects in our Plone site. We have an Active Directory user > called 'ADTadmin' (whom we unfortunately don't have any control over). > In Plone2.5 with PloneLDAP installed we activate the AD PAS plugin > for User_Enumeration (among others, but this seems to be the problem > factor). Then, on the sharing tab of an object that has 'admin' as a > local Owner, the Current Sharing permissions section of the page > displays 'ADTadmin' rather than the zope admin user. > > I traced this from the template back to the computeRoleMap > plone_script to the PlonePAS _getLocalRolesForDisplay method. This > uses the get_local_roles method to correctly get the local roles for > the object (and in our case, correctly contains 'admin'), but then > when trying to get a UserName and Id for that user, is returning a > user from a wildcard LDAP lookup on the string 'admin' rather than > finding the exact match zope user, resulting in a UserName of > 'ADTadmin'. This is happening precisely at the self.getUser(username) > call in the _getLocalRolesDisplay of pas.py. > > Unfortunately, I'm not familiar enough with the inner workings of PAS > to have figured out how this getUser call ends up calling the > PloneLDAPActiveDirectoryMultiPlugin enumerateUsers method. It looks > like if somewhere in there an 'exact_match' could be specified, it > would take care of the issue. Changing the default of exact_match > from enumerateUsers fixes that problem, but of course introduces > others like not being able to search by partial usernames. > > Is this something anyone is aware of? I wasn't able to find any > documentation on this specific problem. If so, are you aware of any > fixes short of changing user ids? > > I've thought of one possible solution, but it's based on an assumption > that I haven't yet confirmed. It appears that when trying to find > users, Plone first checks through all PlonePAS plugins that provide > IUserEnumerationPlugin and only checks zope users when no plugins > return results. This doesn't happen if you have a wildcard match > found by LDAPMultiPlugins. Might I solve the problem if I created a > PlonePAS plugin that provided IUserEnumeration which returned zope > users? If I set that plugin as a higher priority than my ADPlugin for > user enumeration in PAS, it might return my zope user before Active > Directory wildcard matched to 'ADTadmin'. Would that be a Very Bad > Idea? > > > Thanks, > > Gregory Hnatiuk > PCGCampbell > > _______________________________________________ > Setup mailing list > [email protected] > http://lists.plone.org/mailman/listinfo/setup > > -- View this message in context: http://www.nabble.com/PlonePAS-and-LDAP-tf4752700s15482.html#a13633307 Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com. _______________________________________________ Setup mailing list [email protected] http://lists.plone.org/mailman/listinfo/setup
