[Zope] LDAPUserFolder never authorizes

[Jens Vagelpohl]

ok, my fault, i overlooked that in your configuration settings description.

first of all, since you are using cookie auth, make sure to delete all and 
any cookies with the name "__ac" from that particulat server. sometimes the 
wrong cookies hang around and you'll never be able to log in. better yet, 
test this without cookies first. set the user folder to use basic auth.

from your description it looks like the LDAPUserFolder is further down in 
the tree, with at least one other user folder above. it is possible in 
extreme cases that you will run into problems if both user folders have a 
user with the same login defined.

by the way, what LDAPUserFolder version are you using? the latest revision,
  1.5 beta3, has a lot of improvements specifically for running it with role 
information stored in the ZODB like you are trying to do. that includes a 
"convenience" user listing on the Users tab for all those user records that 
have a role associated with them which is only visible if you store roles 
in the ZODB.

if you can find users by searching via the Users tab and if they do have 
roles associated with them (as would be apparent on the user detail view 
for specific records) then this should work. are you sure your passwords 
are set correctly? use the "change password" form on the record detail view 
from the Users tab to reset the password if you are unsure.

jens


On Monday, August 12, 2002, at 07:39 , Joel Burton wrote:

> On Mon, Aug 12, 2002 at 07:28:56PM -0400, Jens Vagelpohl wrote:
>> the objectClass "organizationalRole" is not supported as a suitable group
>> "holder". store your group memberships in objects that are supported, such
>> as groupOfUniqueNames, groupOfNames, or group.
>
>>>    dn: dc=joelburton, dc=com
>>>    objectClass: dcObject
>>>    objectClass: organization
>>>    o: Example Company
>>>    dc: joelburton
>>>
>>>    dn: cn=Manager,dc=joelburton,dc=com
>>>    objectClass: organizationalRole
>>>    cn: Manager
>>>
>>>    dn: cn=bob,dc=joelburton,dc=com
>>>    sn: bob
>>>    givenName: bob
>>>    cn: bob
>>>    objectClass: top
>>>    objectClass: person
>>>    objectClass: inetorgperson
>>>    userPassword:: e1NIQX1TQmdhelNLejdhNjhpa1I0YUtmZmZPWXBrZ289
>
> Jens (& others) --
>
> Thanks for the help. If I understand right, though, the "Manager" here
> is just the dn of the user who has full privileges to the LDAP server --
> it shouldn't be related to the Zope roles (which I'm not storing in the
> LDAP server). If I were keeping the Zope roles in the LDAP server, I
> would use groupOfUmiqueNames to connect that group to the users.
>
> My plan was to get authentication to work w/o the additional
> complications of groups in LDAP, and then try to add the LDAP groups in.
> Is this not a workable strategy?
>
> Do you have any tips on how to get this authenticated with the groups
> being stored in the ZODB?
>
> Thanks!
>
> - J.
> --
>
> Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
> Independent Knowledge Management Consultant