Could you create a central user folder (in root) and then create an external method which queries all of the LDAP branches and returns the appropriate local roles to the central user folder when the user logs in? This way you get a central user folder and can keep all your existing LDAP branches.

Just a thought.


----- Original Message ----- From: "bruno modulix" <[EMAIL PROTECTED]>
To: "Julien Anguenot" <[EMAIL PROTECTED]>
Cc: <>
Sent: Tuesday, September 27, 2005 7:23 AM
Subject: Re: [Zope] Aquisition, UserFolder and security

Julien Anguenot wrote:
Hi Bruno,

Hi Julien,

If you're using a central LDAP for all the instances you can restrict
the access from the different instances using either
LDAPUserGroupsFolder or CPSUserFolder.

Discrimination are done by LDAP branches (users or groups). If you can't
control the LDAP and thus the way the branches are designed, for
whatever reasons, then you can use CPSUserFolder and set the
discrimination on the UF within each instance by setting custom CPS
directories (which is what CPSUserFolder uses as proxy for
authentication sources).

To sum up it's a matter of configuration.

I'm afraid there's more to it than just a matter of configuration, cf

We'll be glad to discuss your use case on cps-users list.

I've spent quite some time investigating the
solution, and the final word (from Olivier Grisel, cf the cps-users ml)
was that some code concerning roles and groups management was not yet
fully implemented, so the whole thing couldn't work without patching and
merging parts of CPSDirectories - which was a definitive no-no for us.

I don't know if this has been fixed in 3.3.6, but anyway, this part of
our project is supposed to be already working (and mostly does, except
for this security problem), and we can't afford to come back on it, as
it would delay delivery by at least one week - which is also not an
option. But thanks anyway...

Bruno Desthuilliers
Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to