-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bruno modulix wrote: > Julien Anguenot wrote: > >>Hi Bruno, > > > Hi Julien, > > >>If you're using a central LDAP for all the instances you can restrict >>the access from the different instances using either >>LDAPUserGroupsFolder or CPSUserFolder. >> >>Discrimination are done by LDAP branches (users or groups). If you can't >>control the LDAP and thus the way the branches are designed, for >>whatever reasons, then you can use CPSUserFolder and set the >>discrimination on the UF within each instan
ce by setting custom CPS >>directories (which is what CPSUserFolder uses as proxy for >>authentication sources). >> >>To sum up it's a matter of configuration. > > > I'm afraid there's more to it than just a matter of configuration, cf > below... > I confirm. For having done the intranet of the Senegal gouvernement (almost 35 CPS (one instance for each ministry) on the same Zope within a ZEO env linked on a central LDAP with differents branches for users and groups per ministry) using CPS, I have sort if an idea what you're trying todo here. > >>We'll be glad to discuss your use case on cps-users list. > > > I've spent quite some time investigating the > CPSUserFolder/Metadirectories/Stackingdirectories/backingDirectories... > solution, and the final word (from Olivier Grisel, cf the cps-users ml) > was that some code concerning roles and groups management was not yet > fully implemented, so the whole thing couldn't work without patching and > merging parts of CPSDirectories - which was a definitive no-no for us. I assume, you're talking about roles and groups compute schema fields here on directories. This is TALES expression linking the directories. The code can be wherever you wanna, even within the TALES expression if you feel like... That's probably, what Olivier tried to say. Still I didn't follow the discussion at this time. Let me add that CPSUserFolder works and is in production for a while now in several projects. So be sure it's stable. > > I don't know if this has been fixed in 3.3.6, but anyway, this part of > our project is supposed to be already working (and mostly does, except > for this security problem), and we can't afford to come back on it, as > it would delay delivery by at least one week - which is also not an > option. But thanks anyway... > Then, you might have a design flaw... You didn' reply to my question at the first place : are you controling the LDAP (rw) ? Are the schemas describing your users differents in between the CPS instances ? etc... CPSUserFolder has been designed to tackle such a use case. (Not only this use case but this one has been a reason of the existence of this product.) Of course, looking for a hack to deliver your project can always be solution ;) Cheers, J. - -- Julien Anguenot | Nuxeo R&D (Paris, France) CPS Platform : http://www.cps-project.org Zope3 / ECM : http://www.z3lab.org mail: anguenot at nuxeo.com; tel: +33 (0) 6 72 57 57 66 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDOUcwGhoG8MxZ/pIRAomtAJ4lEnUDUZpLIkcjwgSTdShb/TTcXwCggTsy EcWsb2Z2oSOgHxsdhgnwNjc= =9Hzy -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )