Le 10 mai 2006, à 17:59, Olivier Grisel a écrit : > Aitzol Naberan a écrit : > >> I need full integration (users, groups and roles) between LDAP and >> CPS, >> so I have started playing with CPSLDAPSetup product, and now I'm able >> to >> authenticate user agains LDAP (still have some errors, but ...). Next >> I >> have started to prepare the directories structure for the groups. I >> have >> created a LDAP Backing directory called groups_ldap (with his schema >> and >> layout), them I have replaced the original groups directory with >> another >> Meta directory called groups. I have added the groups_ldap directory >> as >> a Backing and I have mapped the groups_ldap attributes to groups >> schema. > > You probably do not need a MetaDirectory but you need a > StackingDirectory to be able to translate primary keys (DN <-> group > id). Congrats anyway, you've come a long way. Just being curious: which objectClass do you use for groups, is it groupOfNames ? what's your plan for roles wrt to LDAP schemas ? > >> Well, now I can do searches for groups using the directories search >> interface (I can ask for a group called 'system', and I get results). >> If >> I extend the groups info to see the users of this group, I get a list >> of >> 'DN' attributes from LDAP. How can I get usernames? > > Hum, this is tricky because DNs do not mean anything to CPS. You could > add a computed field that does the translation however but you wont be > able to search groups according to their members (computed fields are > not evaluated in search mode). > >> And another question, how can I get groups info for a user? I supose I >> have to ask to the LDAP server, but I don't know how (a computed >> attribute in the schema???? ) > > Currently this is done through read_process_expr-based computed fields > in the members schema but this might not be the best solution. Write > process expressions might be a better idea. And the other way round in the pure ZODB setup... There's also a write process expression in those default setups: if you change the groups on the user's entry, this will update the corresponding groups directory entries. The methods doing this synthesis are defined and registered here: https://svn.nuxeo.org/pub/CPSDirectory/trunk/FieldNamespace.py About a pure write expression solution, I don't remember much of what we said about it, Olivier, was there more to it than just avoiding the search on read-proccess fields ? Needless to say, if you've come to a satisfactory setup, we'd be more than happy to integrate it in CPSLDAPSetup.
Hosting: Nuxeo: Zope service provider