When you map LDAP groups to Zope roles, all users belonging to a group will get the mapped Zope role (this is ok) and a possibly inexistant role with the LDAP group's cn.
This is bad because it can lead to serious security holes (what if, for example, you create a "cn=Manager" group in LDAP ?) and it's not clean to have users around with invalid roles.
|
