| Request | LDAP User Folder -- bug report -- by P.-J. Grizel |
| Posted on | May 14, 2004 10:29 am |
| Subscribe |
| Resolve by Jens Vagelpohl on Jun 27, 2004 11:51 am | |
|
This behavior has now been corrected in version 2.4 beta 3 and higher. It is completely up to the admin user to map LDAP groups to Zope roles, and the LDAP groups can only be mapped to existing Zope roles. There is no implicit automatic mapping anymore. To have a set of startup mappings a default mapping is created upon instantiation of a LDAPUserFolder that maps all LDAP groups to Zope roles of the same name if they exist. jens |
|
|
|
| Defer by Jens Vagelpohl on May 14, 2004 10:33 am | |
|
This is not a security hole because the documentation explains this behavior. This has been the consistent behavior since day 1, by the way. I am only deferring instead of outright rejecting this issue because I do want to implement a more generic LDAP group to Zope role mapper, but I don't know when I have time to do that. jens |
|
|
|
| Initial Request by P.-J. Grizel on May 14, 2004 10:29 am | |
|
When you map LDAP groups to Zope roles, all users belonging to a group will get the mapped Zope role (this is ok) and a possibly inexistant role with the LDAP group's cn. This is bad because it can lead to serious security holes (what if, for example, you create a "cn=Manager" group in LDAP ?) and it's not clean to have users around with invalid roles. |
