Re: CPS3.4 + LDAP

Olivier Grisel <ogrisel@...> writes:

> 
> jacques.champliaud a écrit :
> > Olivier Grisel <ogrisel <at> ...> writes:
> > 
> >> Fabrice Robin a écrit :
> >>
> >>>     Hi,
> >>>
> >>>     You will find in attachment my LDAP setup for members and groups.
> >>>     These are the settings for an openldap directory with the use of
> >>>     samba and posix schemas.
> >>>
> >>>     With these settings, the CPS groups are the system groups used on
> >>>     the network.
> >>>     Any group created through CPS is created in the ZODB (groups_zodb).
> >> Thanks, I have opened a ticket to add a such a configuration option in
> > CPSLDAPSetup:
> >> http://svn.nuxeo.org/trac/pub/ticket/1648
> >>
> >> Don't have time to do it now, though.
> > 
> > I have tried to make CPSLDAPSetup work, my schemas are derived partly from
the
> > bbs-one's schemas ( which I cannot import (at least easily due to a 
problem 
> > witha  <property name="schemas"/> line in some schemas )
> 
> You will need CPS trunk or CPS 3.4.1 (that should get released by the end of
the
> week) to have proper multi schema support for the directories.
> 
> > In my schemas, objectClass for groups is groupOfUniqueNames
> > 
> > Three levels of directories for groups: Meta, stack and ldap
> > Ok it is almost working well :
> > I get the correct groups name list whit security/Manage Local Roles
> > 
> > but ...
> > 1)when the mapping in the metadirectory called groups is set to:
> > id in groups_stack : uniqueMember <==>  id in groups : members
> > then the members list is correctly displayed in CPS directories view but
> > a userbeing member of a group with corrects rights on a workspace 
> > can't view this workspace
> > 
> > 2) when the mapping is set to :
> > id in groups_stack : uniqueMember <==>  id in groups : dummy
> > then the members list can't be retrieved CPS complains about a 
> > missing members key but a user being member of a group with 
> > corrects rights on a workspace can view it
> > 
> > Any idea to make this work correctly ?
> 
> See later.
> 
> > I had to copy/paste the groups directory to mycompanygroups 
> > and set the mapping to:
> > id in groups_stack : uniqueMember <==>  id in mycompanygroups : members
> > 
> > This way everything works but the groups membership list.
> > 
> > names of members in the mycompanygroups's view are correctly displayed
> > thank's to a external python script called from 
> > portal_schemas/groups_ldap/f__uniqueMember  Read
> > expression:python:portal.members_list(uniqueMember)
> > members_list being a function accepting a list type argument in the form
> > ['uid=fname1.name1,ou=people,dc=mycomp,dc=fr',
> > 'uid=fname2.name2,ou=people,dc=mycomp,dc=fr']
> > and returning a list in the form
> > ['fname1.name1','fname2.name2']
> 
> Beware that read_process_expr are not computed in search mode (searchEntries
> API). That might be related to your problem of having the members of 
group get 
> the right locaroles.
> 

Ok, so I completly removed the field uniqueMember from
portal_schemas/groups_ldap object. A user being member of a group with 
corrects rights on a workspace can *still* view this workspace. 
This means that CPS can retrieve the membership of a user without 
using the groups portal_directories... and as the ldap entry 
of a user don't list the groups he belongs to...
I suspect this is due to the python expression :
python:util.dirCrossGetList('groups', 'members', data.get('uid'))
in the Read: expression of portal_schemas/members_ldap/f__cpsGroups

Am I correct ?

But even this way, as the members of a group are listed in the fields
uniqueMember of the ldap groups schema where is the uniqueMember field
mentionned in CPS ?
And how can I use it to limit the groups a member can list 
( the Entry Local Roles GroupMember python:entry_id in
getUserEntry().get('groups', []) doesn't work )
Thanks

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel